LiveJournal consumer seems to fail with encoded urls

Brad Fitzpatrick brad at danga.com
Thu Jul 7 14:47:13 PDT 2005


On Thu, 7 Jul 2005, Adam Langley wrote:

> OpenID seemed to be a good excuse to try out Ruby on Rails. 24 hours
> later and I have a working server (will be live sometime soon).

Cool.

> But in my travels it seems that LJ fails if elements in the redirect
> (specifically, return_to) are URL encoded.

Not exactly true.  What actually happened was that LJ's openid login page
checked that the value of openid.return_to was EXACTLY
"http://www.livejournal.com/openid/login.bml" and forgot that
Net::OpenID::Consumer adds some of its own state to it.  So I changed it
to a prefix match, as talkpost (for leaving comments on LJ) already did.

The fact that not encoding it made it work for you is because in that
case, the ? wasn't encoded, so LJ split on it, and everything else was
ignored.

But LJ decodes the %xx fine.  Net::OpenID::* never gets near that.

> Here's an example of a redirect which causes LJ to say "invalid return_to"
>
> http://www.livejournal.com/openid/login.bml?oic.identity=http://imperialviolet.org/&openid.assoc_handle=0f4a8983e5ddac0f&openid.valid_to=2005-07-07T21%3A19%3A46Z&openid.identity=http%3A%2F%2F81.86.225.58%3A3000%2Fuser%2F7&openid.return_to=http%3A%2F%2Fwww.livejournal.com%2Fopenid%2Flogin.bml%3Foic.identity%3Dhttp%3A%2F%2Fimperialviolet.org%2F&openid.mode=id_res&openid.issued=2005-07-07T20%3A19%3A46Z&openid.sig=jrak2KOj%2BZPYtWdvleIuzSvJbio%3D&openid.signed=issued%2Cvalid_to%2Cidentity

Ick --- be sure you sign more than just issued!  You'll want to sign
"return_to" and other things.  See what Net::OpenID::Server does.

I was able to login to my local LJ install by slighly altering that URL,
since the signature still matched (with your ruby server's
check_authentication)

- Brad



More information about the yadis mailing list