Unable to complete OpenID login with ruby-openid 2.9.0/2.9.1 #125
Description
We've been testing the latest version of ruby-openid in our development environment and found that we are no longer able to successfully complete login. We started seeing
Unexpected OpenID response: #<OpenID::Consumer::FailureResponse:0x000055e490435880 @endpoint=nil, @message="Unable to contact OpenID server: bad URI(is not URI?): nil", @contact=nil, @reference=nil>
in our logs, which lead us to find out that #121 broke our login flow (note endpoint is nil).
Here is what we are doing:
- Discover the OpenID endpoint to login to (
OpenID::OpenIDServiceEndpoint). - Create a
OpenID::Consumerto generate aOpenID::Consumer::CheckIDRequest(without discovery). - Add the attributes we want about the user Attribute Exchange extension to the request.
- Add the OAuth (
OpenID::OAuth::Request) extension to the request. - Redirect to the constructed OpenID login URL.
- Receive the callback.
- Call the
completemethod on the consumer. - Validate the OpenID response and that we received all of the requested attributes.
As it turns out, the call to complete, which then calls, handle_idres, which calls id_res and causes the problem as the verification makes assumptions that are no longer true. When verify_discovery_results was before check_signature, the @endpoint was set or it would perform discovery and set it. However, now that check_signature is getting called first, the @store is nil, so the assoc is set to nil and that triggers a call to check_auth. But, check_auth will never succeed because the make_kv_post method has no endpoint to call, thus preventing successful response validation and preventing login.
We were able to work around this by locking down to 2.8.0. I do realize that the change made in #121 was for security reasons, but we're not sure how to proceed.