error while loging with SmugMug OpenID identifier

[avodonosov]

I have tested our RP prototype with various providers listed at  http://openid.net/get/. All of them I tested so far work OK, except for SmugMug?.

When logging in into our test RP by SmugMug? OpenID identifier, an error appears: OpenID assertion error: Invalid signature.

livejournal is able to login this ID.

Account details: ID:  http://clopenid.smugmug.com email: clopenid@… password: verysecret123

This is a 14 days trial account, it will expire at August 03 2008.

Backtrace:

[2008-07-19 20:10:50] 87.252.227.42 - "GET /cl-openid/ HTTP/1.1" 200 518 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16" [2008-07-19 20:10:55 [DEBUG]] Associating v1-compatible with  http://www.smugmug.com/services/openid/server/ (assoc "HMAC-SHA1", session "DH-SHA1") [2008-07-19 20:10:56] 87.252.227.42 - "GET /cl-openid/?openid_identifier=http%3A%2F%2Fclopenid.smugmug.com&openid_action=Login HTTP/1.1" 302 706 " http://myhost:4242/cl-openid/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16" [2008-07-19 20:10:59 [ERROR]] OpenID assertion error: Invalid signature 0: (BACKTRACE 536870911 #<SB-IMPL::STRING-OUTPUT-STREAM {AC8C089}>) 1: (HUNCHENTOOT:GET-BACKTRACE #<unavailable argument>) 2: ((LAMBDA (COND)) #<CL-OPENID::OPENID-ASSERTION-ERROR {AC87089}>) 3: ((LAMBDA (COND)) #<CL-OPENID::OPENID-ASSERTION-ERROR {AC87089}>) 4: (SIGNAL #<CL-OPENID::OPENID-ASSERTION-ERROR {AC87089}>) 5: (ERROR CL-OPENID::OPENID-ASSERTION-ERROR) 6: (CL-OPENID::HANDLE-INDIRECT-REPLY

(("openid.mode" . "id_res")

("openid.identity" . " http://clopenid.smugmug.com/") ("openid.return_to" . " http://myhost:4242/cl-openid/ID1") ("openid.assoc_handle" . "8398644882829021ef7") ("openid.signed" . "mode,identity,return_to") ("openid.sig" . "tHfd+BICtd4hMNWPR5aA/8b2o/c="))

((:RETURN-TO . #<PURI:URI  http://myhost:4242/cl-openid/ID1>)

(:TIMESTAMP . 3425501455) (:PROTOCOL-VERSION 1 . 1) (:OP-ENDPOINT-URL

. #<PURI:URI  http://www.smugmug.com/services/openid/server/>)

(:CLAIMED-ID . #<PURI:URI  http://clopenid.smugmug.com/>)))

7: (CL-OPENID::HANDLE-OPENID-REQUEST

#<PURI:URI  http://myhost:4242/cl-openid/> #<PURI:URI  http://myhost:4242> (("openid.mode" . "id_res")

("openid.identity" . " http://clopenid.smugmug.com/") ("openid.return_to" . " http://myhost:4242/cl-openid/ID1") ("openid.assoc_handle" . "8398644882829021ef7") ("openid.signed" . "mode,identity,return_to") ("openid.sig" . "tHfd+BICtd4hMNWPR5aA/8b2o/c="))

"ID1")

8: ((LAMBDA ())) 9: (HUNCHENTOOT::PROCESS-REQUEST

((:HOST . "myhost:4242")

(:USER-AGENT

. "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16")

(:ACCEPT

. "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5")

(:ACCEPT-LANGUAGE . "ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3") (:ACCEPT-ENCODING . "gzip,deflate") (:ACCEPT-CHARSET . "windows-1251,utf-8;q=0.7,*;q=0.7") (:KEEP-ALIVE . "300") (:CONNECTION . "keep-alive") (:REFERER . " http://myhost:4242/cl-openid/"))

#<FLEXI-STREAMS:FLEXI-IO-STREAM {AC2C4C1}> :GET "/cl-openid/ID1?openid.mode=id_res&openid.identity= http://clopenid.smugmug.com/&openid.return_to=http://myhost:4242/cl-openid/ID1&openid.assoc_handle=8398644882829021ef7&openid.signed=mode,identity,return_to&openid.sig=tHfd%2BBICtd4hMNWPR5aA%2F8b2o%2Fc%3D" :HTTP/1.1)

10: (HUNCHENTOOT::PROCESS-CONNECTION

#<HUNCHENTOOT::SERVER {B7EC6D1}> #<SB-BSD-SOCKETS:INET-SOCKET descriptor 8 {AC23859}>)

11: ((FLET SB-THREAD::WITH-MUTEX-THUNK)) 12: (SB-UNIX::CALL-WITH-LOCAL-INTERRUPTS

#<CLOSURE (FLET SB-UNIX::WITH-LOCAL-INTERRUPTS-THUNK) {B574209D}> T)

13: ((FLET SB-UNIX::WITHOUT-INTERRUPTS-THUNK) T) 14: ((FLET SB-UNIX::RUN-WITHOUT-INTERRUPTS)) 15: (SB-UNIX::CALL-WITHOUT-INTERRUPTS

#<CLOSURE (FLET SB-UNIX::WITHOUT-INTERRUPTS-THUNK) {B574218D}>)

16: (SB-THREAD::CALL-WITH-MUTEX

#<CLOSURE (FLET SB-THREAD::WITH-MUTEX-THUNK) {B5742215}> #S(SB-THREAD:MUTEX

:NAME "thread result lock" :%OWNER #<SB-THREAD:THREAD "hunchentoot-worker-2" {AC245B1}> :STATE 1)

#<SB-THREAD:THREAD "hunchentoot-worker-2" {AC245B1}> T)

17: ((LAMBDA ())) 18: ("foreign function: #x806398C") 19: ("foreign function: #x8051E61") 20: ("foreign function: #x805B44D") 21: ("foreign function: #xB7FC8FDA")

[2008-07-19 20:10:59] 87.252.227.42 - "GET /cl-openid/ID1?openid.mode=id_res&openid.identity= http://clopenid.smugmug.com/&openid.return_to=http://myhost:4242/cl-openid/ID1&openid.assoc_handle=8398644882829021ef7&openid.signed=mode,identity,return_to&openid.sig=tHfd%2BBICtd4hMNWPR5aA%2F8b2o%2Fc%3D HTTP/1.1" 500 298 " http://myhost:4242/cl-openid/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"

[mpasternacki]

Seems to be bug in SmugMug? code. Started a thread on SmugMug?'s support forum:  http://www.dgrin.com/showthread.php?p=896451

[avodonosov]

If it is a SmubMug?'s bug, livejournal should not work with it too, but it works.

[mpasternacki]

On SmugMug? support forum I saw users reporting that only a few RPs work with their ID (of which only livejournal has been mentioned explicitly), and many RPs fail. Python-openid, which I use as a reference implementation, fails in "smart" mode (with associations), but everything works in stateless mode (signature verification by direct request to OP). It is possible that services that work just use stateless mode, and it might be a good workaround to just ignore failed association attempts and go on with stateless mode.

What SmugMug? passes as mac_key is evidently not a Base64-encoded array that is required by spec (it's 19 characters long and not padded with = signs), looks like a hex number, but however I try to interpret it, I can't get signatures working. I'll see if anybody on their support forum replies to my report.