X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/35cbe738e5fbece3aadbfe1a77dcfaffc86c8f05..4e7b7a178890eb8d28edcd2e6ab2763c9a3988e5:/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn diff --git a/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn b/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn index fe09701a0..2fa4a4759 100644 --- a/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn +++ b/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn @@ -9,6 +9,75 @@ It occurs both for [getopenid.com](http://www.getopenid.com/) and [myopenid.com](http://www.myopenid.com/) servers I use. I'm reporting this, but I'm not sure whether a problem is with your -ikiwiki or my OpenID servers. --Pawel +ikiwiki or my OpenID servers. --[[Paweł|ptecza]] +> I've seen this too, once or twice (using myopenid), and reauthenticating +> fixed it -- so I can't reproduce it reliably to work on it. I think I've +> seen it both on this wiki and on the one running on my laptop. +> +> The perl openid client module seems +> to fail with time_bad_sig if the time in the signature from the other end +> is "faked". I'm not 100% sure what this code does yet: + # check age/signature of return_to + my $now = time(); + { + my ($sig_time, $sig) = split(/\-/, $self->args("oic.time") || ""); + # complain if more than an hour since we sent them off + return $self->_fail("time_expired") if $sig_time < $now - 3600; + also complain if the signature is from the future by more than 30 seconds, + # which compensates for potential clock drift between nodes in a web farm. + return $self->_fail("time_in_future") if $sig_time - 30 > $now; + # and check that the time isn't faked + my $c_secret = $self->_get_consumer_secret($sig_time); + my $good_sig = substr(OpenID::util::hmac_sha1_hex($sig_time, $c_secret), 0, 20); + return $self->_fail("time_bad_sig") unless $sig eq $good_sig; + } + +> At least it doesn't seem to be a time sync problem since the test for too +> early/too late times have different error messages.. --[[Joey]] + +I've had this problem too, but with my track record of reporting OpenID bugs +I thought it best if I held my tongue. I usually experience this the first +time I sign in on any ikiwiki installation of {ikiwiki.kitenet, ikidev, +betacantrips}, and I think re-logging in always works. --Ethan + +> Does seem easier to repro than I thought. +> Ok, fixed it.. done --[[Joey]] (reopened for new instance of same error +> message below) + +---- + +## the return of the nasty bug + +Hmmmmm, looks like it is not entirely fixed. I am getting it on my own +[blog](http://blog.tobez.org/). Just upgraded to 3.20110430, same same. +I am using custom openid with redirection to myopenid.com. +Please tell me if you need more info. The same openid worked fine to login to *this* site to post this. +-- Anton + +> Well, this bug is from 2007. Probably you are not encountering the same +> bug. +> +> I also have a openid delegation to myopenid, and I can reproduce the +> problem when logging into your site. +> +> What version of the +> Net::OpenId::Consumer perl library do you have installed? --[[Joey]] + +>> It is the latest version from FreeBSD's ports collection, +>> which happens to be a [slightly patched up](http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/net/p5-Net-OpenID-Consumer/files/patch-Consumer.pm?rev=1.2;content-type=text%2Fplain) +>> variant of an +>> ["unauthorized" CPAN release 1.06](http://search.cpan.org/~gugu/Net-OpenID-Consumer-1.06/) +>> +>> Do you think it might be a good idea to try with 1.03 or with an unpatched 1.06? +>> -- Anton + +>>> Absolutely. --[[Joey]] + +>>>> 1.03 fails with "Error: login failed, perhaps you need to turn on cookies?" (needless to say cookies are enabled). +>>>> Unpatched 1.06 fails with "Error: login failed, perhaps you need to turn on cookies?". +>>>> 1.03 with the same patch fails with "Error: OpenID failure: time_bad_sig:" -- Anton. + +>>>>> Investigation revealed it was a bug in the freebsd patch, which I +>>>>> understand is going to be dealt with. [[done]] --[[Joey]]