Geek Answers Handbook

DotNetOpenAuth RP goes beyond the SSL device

I am having trouble getting the DNOA RP working on the SSL device (terminates the client HTTPS connection and the reverse HTTP proxy to the web server behind it).

The problem is that the RP incorrectly guesses the endpoint of the recipient from the incoming request (since it is not HTTPS by the time it hits the web server) and comparing the endpoint with the scheme at the return_to URL (which is HTTPS) - it not working with the table below. I am a little versed in the code, and I see no way to change this behavior without a custom assembly or non-trivial subclass. I already pass the HTTPS version of Realm and ReturnToUrl to OpenIdRelyingParty.CreateRequests () - this part works fine.

Can I pull out the detected recipient schema on HTTPS or compare the skip patterns on the DNOA assembly, or will I fix the assembly tomorrow?

Stacktrace:

ERROR DotNetOpenAuth.Messaging - 09 Jul 2010 00:11:39,450 - Protocol error: The openid.return_to parameter (https://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX) does not match the actual URL (http://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX&openid.ns=http://specs.openid.net/auth/2.0&openid.mode=id_res&openid.op_endpoint=XXX&openid.response_nonce=XXX&openid.return_to=https://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX&openid.assoc_handle=XXX&openid.signed=op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle&openid.sig=XXX&openid.identity=XXX&openid.claimed_id=XXX) the request was made with. at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args) at DotNetOpenAuth.OpenId.Messages.IndirectSignedResponse.VerifyReturnToMatchesRecipient() at DotNetOpenAuth.OpenId.Messages.IndirectSignedResponse.EnsureValidMessage() at DotNetOpenAuth.Messaging.MessageSerializer.Deserialize(IDictionary`2 fields, MessageDictionary messageDictionary) at DotNetOpenAuth.Messaging.Reflection.MessageDictionary.Deserialize(IDictionary`2 fields) at DotNetOpenAuth.Messaging.Channel.Receive(Dictionary`2 fields, MessageReceivingEndpoint recipient) at DotNetOpenAuth.Messaging.Channel.ReadFromRequestCore(HttpRequestInfo request) at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest) at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo) at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse()
+7
ssl dotnetopenauth
source share
1 answer

DotNetOpenAuth has built-in support for SSL devices when adding these special HTTP headers to the redirected HTTP request: X_FORWARDED_PROTO and / or HTTP_HOST . When they are present, auto-detection of an external URL is correct. If you can configure your SSL device for this, perhaps this is the best option.

An alternative is to call OpenIdRelyingParty.GetResponse(HttpRequestInfo) instead of an overload that takes no parameters. You yourself create HttpRequestInfo using an external URL, which, as you know, is real. Then the URL matching logic inside DotNetOpenAuth will not fail the request.

+9
source share

More articles:


All Articles