Description

When attempting to log in to stackoverflow.com via OpenID, I get a 403 error with the text 'verification failed'.

I am able to log in to other sites, such as sourceforge.net.

Steps to reproduce

  1. visit http://meta.stackoverflow.com/users/login

  2. Enter https://robots.org.uk/ as the OpenID

    • you don't need to be logged into my wiki to try this

The bug appears to be in MoinMoin's handling of the #openiduser directive.

Component selection

  • OpenID support

Details

MoinMoin Version

1.9.2

OS and Version

Debian GNU/Linux 5.0

Python Version

2.5.2

Server Setup

fcgi

Server Details

Apache 2.2

Workaround

One of the following:

  • Add HomePage to !OpenIDGroup

  • Avoid use of #openiduser directive

Discussion

Line 146 of _verify_endpoint_identity is returning False. I logged the parameters of the test performed on line 145, while logging into stackoverflow.com:

OpenIDGroup

HomePage

<<class 'MoinMoin.datastruct.backends.wiki_groups.WikiGroup'> name=OpenIDGroup members=set([u'sam']) member_groups=set([])>

and sourceforge.net:

OpenIDGroup

sam

<<class 'MoinMoin.datastruct.backends.wiki_groups.WikiGroup'> name=OpenIDGroup members=set([u'sam']) member_groups=set([])>

Note that when stackoverflow.com performs the request, received_name is not correct. It's the name of the page with the #openiduser directive, not the name of the user referenced in the directive!

If you're doing the "identifier select" using Moin as identity provider, you may come across a bug which I have reported and attempted to patch: see here for details. -- PaulBoddie 2011年03月26日 18:55:14

  • Sorry, I don't know enough about the workings of !OpenID to know if I'm using "identifier select". Can you give me a hint? :)

    • Now you're asking me to remember things! :) I think you must be using "identifier select". What happens is that when you're redirected, you should be shown the "Trust root", "Identity URL", "Name", and the "Approve" and "Don't approve" buttons for the username you specified in the #OpenIDUser directive. I just tested this on my own Wiki (after struggling to remember what went where!) and it worked:

      1. Chose the login action on the relying party Wiki.

      2. Entered https://localhost/provider/AlternativeOpenIDURL which is the identity page on the provider Wiki.

      3. Got the approval page on the provider Wiki.
      4. Selected "Approve".
      5. Got sent back to the relying party Wiki and was asked which username to use on that Wiki.
      6. The username was then associated with the specified identity URL.

      The received_name should get replaced by the username from the directive, but it will be the page name initially. -- PaulBoddie 2011年11月16日 22:56:54

Plan

  • Priority:
  • Assigned to:
  • Status:

CategoryMoinMoinBug

MoinMoin: MoinMoinBugs/OpenIDVerificationFailedForStackOverflow (last edited 2011年11月16日 22:56:55 by PaulBoddie )

AltStyle によって変換されたページ (->オリジナル) /