Yahoo OpenID has extra security constaints

Posted by face on March 05, 2008

OpenID logo

I have a feeling this will help some of y’all if you are getting the following error: 

Sorry! Something is not quite right with the request we received from the website you are trying to use. Please try again in a few minutes. If this error persists, please contact the site administrator for the website you are trying to use. If you are the site administrator, click here to contact us.

I get this error if I try to login on my development environment because localhost:3000 just won’t cut it for Yahoo’s OpenID security policy. If I run from a production URL on port 80, say http://myutil.com/ then signin works (though I haven’t gotten Simple Registration Attribute Exchange working with Yahoo).

From the Yahoo OpenID Developers FAQ:
Yahoo! Security Policies Yahoo! will only support Relying Parties running on webservers with real hostnames (IP addresses are not supported) running on standard ports (Port 80 for HTTP and Port 443 for HTTPS).

Hope this saves ya some time!


Digg! Delicious! Technorati Blinklist Furl Reddit

OpenID-2.0.2 with Rails-2.0.2

Posted by face on December 29, 2007

OpenID makes sense. Dr. Nick’s multi-OpenIDs per user example app makes even more sense.

In the middle of integrating it into my project, gem-1.0.1 came out and broke ruby-openid-1.1.4. Dr. Nick’s great example no longer worked!

A little digging and I found Dr. Nick’s example uses the standard open_id_authentication. That has a patch to work on ruby-openid-2.0.2 and rails 2 which can be found here.

So in a nutshell, I grabbed openidauth_multiopenid-0.3.2 from Dr. Nick, removed a bunch of stuff from vendor plugins. Updated Rakefile, config/boot.rb, and config/environment.rb for rails 2.0.2. Patched vendor/plugins/open_id_authentication for ruby-openid-2.0.2. Regenerated db/migration/002_add_open_id_authentication_tables.rb. And installed ruby-openid-2.0.2 as a system gem.

As a little code is worth more than a thousand words, here is Dr. Nick’s example application fully ported to rails 2.0.2 in ZIP and TAR.gz.

For my port of Dr. Nick’s example above to work, you will need rails-2.0.2 and ruby-openid-2.0.2 installed as a gems.

Security Update: January 4th, 2007 I noticed the example adds edit, update, and destroy to users_controller.rb using params[:id] thus allowing any logged in user to edit, update, and destroy any user of the system. To fix, simply change the first line of edit, update, and destroy to use the current logged in user (i.e. @user = User.find(self.current_user.id)).

Another Update:February 27th, 2007 One of my clients noticed the user_openids_controller’s index method finds all openids for all users if you surf to user_openids URL. To fix, change the find in user_openids_controller.index to be @user_openids = UserOpenid.find_all_by_user_id(@user.id). I think it’s time I put this example under SVN and apply these security upates…

It should look something like this under rails 2.0.2:

References:

http://drnicwilliams.com/2007/07/26/sample-app-rails-multiple-openids-per-user/
http://dev.rubyonrails.org/ticket/10604
http://openidenabled.com/ruby-openid/
http://svn.rubyonrails.org/rails/plugins/open_id_authentication/
http://openid.net/


Digg! Delicious! Technorati Blinklist Furl Reddit