No "Bad Signature" Feedback in AJAX Demo

Brad Fitzpatrick brad at danga.com
Wed May 25 01:26:32 PDT 2005


Fixed.  Errors are propogated up now.  It also made me find a bug in
Net::OpenID::Consumer testing it... a corrupt signature will make
Crypt::OpenSSL::DSA croak during the verify operation, so I had to wrap it
in eval.


On Wed, 25 May 2005, Nathan D. Bowen wrote:

> It's possible that I'm doing something wrong on my end, but it looks to
> me like the AJAX demo gets sort of "stuck" if the provider returns a bad
> signature. I'm intentionally sending bad signatures in the hope that I
> will see a nice red box catching me in the act, but I'm basically seeing
> nothing.
>
> If I understand it correctly, when the helper receives
> openid.mode=id_res, it is expected to send back a small HTML document
> containing a call to a parent window function (OpenID_callback_pass or
> OpenID_callback_fail). There doesn't seem to be anything like a general
> OpenID_callback_error, though, and the 'fail' function is specifically
> for user setup URLs. So, in the case of a bad signature (or another
> error condition, I assume), it looks like helper.bml just spits back a
> JSON-formatted error directly to the iframe. The form box is left
> forever grey and claiming to be "Contacting identity server".
>
> So it's not exactly letting me "get away with" sending bad signatures,
> but it's not setting off alarms in the browser, either...
>
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>


More information about the yadis mailing list