Description
When attempting to log in to stackoverflow.com via OpenID, I get a 403 error with the text 'verification failed'.
I am able to log in to other sites, such as sourceforge.net.
Steps to reproduce
Enter https://robots.org.uk/ as the OpenID
- you don't need to be logged into my wiki to try this
The bug appears to be in MoinMoin's handling of the #openiduser directive.
Component selection
- OpenID support
Details
MoinMoin Version |
1.9.2 |
OS and Version |
Debian GNU/Linux 5.0 |
Python Version |
2.5.2 |
Server Setup |
fcgi |
Server Details |
Apache 2.2 |
Workaround
One of the following:
Add HomePage to !OpenIDGroup
Avoid use of #openiduser directive
Discussion
Line 146 of _verify_endpoint_identity is returning False. I logged the parameters of the test performed on line 145, while logging into stackoverflow.com:
OpenIDGroup |
HomePage |
<<class 'MoinMoin.datastruct.backends.wiki_groups.WikiGroup'> name=OpenIDGroup members=set([u'sam']) member_groups=set([])> |
and sourceforge.net:
OpenIDGroup |
sam |
<<class 'MoinMoin.datastruct.backends.wiki_groups.WikiGroup'> name=OpenIDGroup members=set([u'sam']) member_groups=set([])> |
Note that when stackoverflow.com performs the request, received_name is not correct. It's the name of the page with the #openiduser directive, not the name of the user referenced in the directive!
If you're doing the "identifier select" using Moin as identity provider, you may come across a bug which I have reported and attempted to patch: see here for details. -- PaulBoddie 2011-03-26 18:55:14
Sorry, I don't know enough about the workings of !OpenID to know if I'm using "identifier select". Can you give me a hint?
Now you're asking me to remember things!
I think you must be using "identifier select". What happens is that when you're redirected, you should be shown the "Trust root", "Identity URL", "Name", and the "Approve" and "Don't approve" buttons for the username you specified in the #OpenIDUser directive. I just tested this on my own Wiki (after struggling to remember what went where!) and it worked: - Chose the login action on the relying party Wiki.
Entered https://localhost/provider/AlternativeOpenIDURL which is the identity page on the provider Wiki.
- Got the approval page on the provider Wiki.
- Selected "Approve".
- Got sent back to the relying party Wiki and was asked which username to use on that Wiki.
- The username was then associated with the specified identity URL.
The received_name should get replaced by the username from the directive, but it will be the page name initially. -- PaulBoddie 2011-11-16 22:56:54
Plan
- Priority:
- Assigned to:
- Status: