Opened 14 years ago
Closed 14 years ago
#18 closed defect (fixed)
LiveJournal error reponse with HTTP status 200
Reported by: | avodonosov | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | code | Version: | 1.0 portable |
Keywords: | Cc: |
Description
Livejournal OpenID provider started to violate the spec (as I read it) by returning error response with HTTP status code 200 OK.
When I tested Livejournal with cl-openid last time, it worked OK, but now it doesn't work.
The relevant code: association.lisp, the function ASSOCIATE. It performs DIRECT-REQUEST and expects it to signal an OPENID-REQUEST-ERROR if the provider does not support the requested session type or association type ("error_code" = "unsupported-type"). In this case the condition handler retries the association request.
The DIRECT-REQUEST only signals the error if the HTTP request status is not 200.
But livejournal returns HTTP 200 OK and the message body contains "error_code" = "unsupported-type".
I think it's a violation of the spec (see 5.1.2.2. Error Responses in the end of this section: http://openid.net/specs/openid-authentication-2_0.html#direct_comm and 8.2.4. Unsuccessful Response Parameters in the end of this section: http://openid.net/specs/openid-authentication-2_0.html#anchor20). Error responses must always be sent with status 400.
But we have no other choice than support the livejournal behaviour.
I am not sure where to handle it:
- Inside of the DIRECT-REQUTEST, in addition to the HTTP status != 200, we may signal an error if the response message contains "error" attribute.
- In the ASSOCIATE function, we might in addition to condition handler for OPENID-REQUEST-ERROR check that the message has attributes "error"; and if "error_code" = "unsupported-type" then retry the request with adjusted parameters.
As the section 5.1.2.2. "Error Responses" (http://openid.net/specs/openid-authentication-2_0.html#direct_comm) specifies that the "error" attribute is mandatory for error responses, the variant 1 seems to be acceptable.
Fixed by adding a check for the "error" attribute in the response in the DIRECT-REQUEST function (vent if the HTTP status code is 200 OK).
Now LiveJournal? OpenID authentication works OK.