Managed Hosting



Project Home Blog Forums Known Issues External Project Link Contact Project

OpenID Issue: Railo failure to authenticate

Name: Railo failure to authenticate
ID: 11
Project: OpenID
Type: Bug
Area: Code
Severity: High
Status: Fixed
Related URL:
Creator: Jake Feasel
Created: 06/28/12 11:18 AM
Updated: 07/10/12 10:00 PM
Description: Running on the latest stable Railo server (3.3.4), the code has some kind of problem authenticating with the various providers (I've checked google and yahoo). You can just expand the latest release into a Railo-accessible folder and run the test app, and you'll see this behavior. When using Google, you will get back a 400 Bad Request error message. I've traced the source of this error for a bit, and here's what I've found:

Look to line 308 in OpenIDConsumer2.cfc:
On Adobe CF, the call to isValidSignature returns true, and so the call to isValidHandle is never made.
On Railo, the call to isValidSignature returns false, and so the call to isValidHandle IS made, and within that call is where we see the call to CFHTTP which throws the "Bad Request" error.

Based on this, I've been able to trace it further and see that the error is not within the call to isValidSignature - given the same arguments that are provided from a call in ACF, running this function in Railo returns true (just as it does in ACF). And similarly, given the arguments that are provided during a request on Railo, this call returns false (as I already mentioned). So the problem isn't the execution of the function, but rather the parameters provided to it from within the Railo environment.

That's as far as I've made it in the tracing process at this point. It strongly appears that somewhere early in the process (likely related to encryption) the cached openid values are incorrectly produced in Railo, and therefore fail down the line when it comes time to compare the cached values with the values returned from the openid provider.

BTW - with yahoo I don't get the "400 Bad Request" message, I just get an "Invalid authentication" message (even though I did authenticate correctly within yahoo). I assume it is related, but I haven't stepped through the execution as carefully in this case to verify that.
History: Created by jfeasel (Jake Feasel) : 06/28/12 11:18 AM

Comment by jfeasel (Jake Feasel) : 06/29/12 12:17 AM
I've dug deeper into the cause of this, and found that the issue is actually with how Railo handles (or rather, doesn't) the "encoded" attribute to cfhttpparam. I've opened an issue about this here: https://issues.jboss.org/browse/RAILO-1976

Updated by dyakhnov (Dmitry Yakhnov) : 07/10/12 10:00 PM

To add a comment to this bug, please login using the link above.