close Warning: Can't synchronize with repository "(default)" (/project/cl-openid/svn does not appear to be a Subversion repository.). Look in the Trac log for more information.

Opened 14 years ago

Closed 14 years ago

#18 closed defect (fixed)

LiveJournal error reponse with HTTP status 200

Reported by: avodonosov Owned by:
Priority: major Milestone:
Component: code Version: 1.0 portable
Keywords: Cc:

Description

Livejournal OpenID provider started to violate the spec (as I read it) by returning error response with HTTP status code 200 OK.

When I tested Livejournal with cl-openid last time, it worked OK, but now it doesn't work.

The relevant code: association.lisp, the function ASSOCIATE. It performs DIRECT-REQUEST and expects it to signal an OPENID-REQUEST-ERROR if the provider does not support the requested session type or association type ("error_code" = "unsupported-type"). In this case the condition handler retries the association request.

The DIRECT-REQUEST only signals the error if the HTTP request status is not 200.

But livejournal returns HTTP 200 OK and the message body contains "error_code" = "unsupported-type".

I think it's a violation of the spec (see 5.1.2.2. Error Responses in the end of this section: http://openid.net/specs/openid-authentication-2_0.html#direct_comm and 8.2.4. Unsuccessful Response Parameters in the end of this section: http://openid.net/specs/openid-authentication-2_0.html#anchor20). Error responses must always be sent with status 400.

But we have no other choice than support the livejournal behaviour.

I am not sure where to handle it:

  1. Inside of the DIRECT-REQUTEST, in addition to the HTTP status != 200, we may signal an error if the response message contains "error" attribute.
  1. In the ASSOCIATE function, we might in addition to condition handler for OPENID-REQUEST-ERROR check that the message has attributes "error"; and if "error_code" = "unsupported-type" then retry the request with adjusted parameters.

As the section 5.1.2.2. "Error Responses" (http://openid.net/specs/openid-authentication-2_0.html#direct_comm) specifies that the "error" attribute is mandatory for error responses, the variant 1 seems to be acceptable.

Change History (1)

comment:1 Changed 14 years ago by avodonosov

Resolution: fixed
Status: newclosed

Fixed by adding a check for the "error" attribute in the response in the DIRECT-REQUEST function (vent if the HTTP status code is 200 OK).

Now LiveJournal? OpenID authentication works OK.

Note: See TracTickets for help on using tickets.