From dekkerdreyer at gmail.com  Tue Feb  6 23:18:34 2007
From: dekkerdreyer at gmail.com (Dekker Dreyer)
Date: Wed, 7 Feb 2007 02:18:34 -0500
Subject: Numerous Problems with PHP-openid on RHEL
Message-ID: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>

Just downloaded the PHP Openid library 1.2.1 and the 1.0.0. PHP openid
server and installed it on my webserver, which is some variant of RHEL
(2.6.9 kernel), php version 4.4.2 (with GD).

First off, the captcha.php file seems to be broken.  I get a broken
image link.  Trying to follow the image link directly I get:

"Fatal error:  Call to undefined function:  imagettftext() in
/home/dekker/open_id_server/src/captcha.php on line 49

I don't need that for my installation, but thought I'd pass it on.  I
disabled public registration and set up myself via the administrator
login.  It would be nice to provide a method for generating md5
hashes, even if it is just a php passthru like:

"<?php md5(file_get_contents("php://stdin")); ?>"

and an instruction in the README that says

php generate_md5.php < echo 'my_password'

Just a suggestion.  Back to my problem, I tried to authenticate on
another site and got an error when taken back to my openid server:

"You've tried to authenticate using a URL this server does not manage"

Trying the diagnose-server script, I get:

"Fatal error: Define Auth_OpenID_RAND_SOURCE as null to continue with
an insecure random number generator. in
/usr/local/lib/php/Auth/OpenID/CryptUtil.php on line 53"

I went into the CryptUtil.php file and I see:

if (!defined('Auth_OpenID_RAND_SOURCE')) {
    /**
     * The filename for a source of random bytes. Define this yourself
     * if you have a different source of randomness.
     */
    define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
}

This server has a urandom and a random.  Changing this to /dev/random
does not work either, nor does removing the if clause.

Just to add one final kick, when I tried to sign up for this mailing
list to post about the errors I'm getting, I saw:

"Alternatively, enter a privacy password below. (...) If you enter
neither an OpenID nor a password, a password will be automatically
generated and emailed to you."

However, it refuses to let you continue unless you supply an openID,
whether you enter a password or not.

How can I fix the randomness issue?

Dekker Dreyer


From norman at rasmussen.co.za  Tue Feb  6 23:59:04 2007
From: norman at rasmussen.co.za (Norman Rasmussen)
Date: Wed, 7 Feb 2007 09:59:04 +0200
Subject: Numerous Problems with PHP-openid on RHEL
In-Reply-To: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
References: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
Message-ID: <5b698f5a0702062359l2c0c99d4p68f0491b6be506c2@mail.gmail.com>

On 2/7/07, Dekker Dreyer <dekkerdreyer at gmail.com> wrote:
> It would be nice to provide a method for generating md5
> hashes, even if it is just a php passthru like:
> "<?php md5(file_get_contents("php://stdin")); ?>"
> and an instruction in the README that says
> php generate_md5.php < echo 'my_password'

option #1: echo -n 'my_password' | md5sum
option #2: echo -n 'my_password' | openssl md5

> "Fatal error: Define Auth_OpenID_RAND_SOURCE as null to continue with
> an insecure random number generator. in
> /usr/local/lib/php/Auth/OpenID/CryptUtil.php on line 53"
> How can I fix the randomness issue?

in config.php add:

define('Auth_OpenID_RAND_SOURCE', null);

-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


From kevin at radagast.biz  Wed Feb  7 00:06:45 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Wed, 07 Feb 2007 09:06:45 +0100
Subject: Numerous Problems with PHP-openid on RHEL
In-Reply-To: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
References: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
Message-ID: <45C98895.7070503@radagast.biz>


Dekker Dreyer wrote:

> 
> How can I fix the randomness issue?

Hi Dekker,

Even though your system may have a urandom file, does your script 
actually have the authority to access it? I suspect that it would not if 
you were running PHP in safe mode, for example, or if the read 
permissions on /dev/urandom were not universal.

If you continue having trouble, then I suggest that you follow the 
suggestion in the code and set Auth_OpenID_RAND_SOURCE to null.

Cheers,
Kevin

-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From dekkerdreyer at gmail.com  Wed Feb  7 06:54:22 2007
From: dekkerdreyer at gmail.com (Dekker Dreyer)
Date: Wed, 7 Feb 2007 09:54:22 -0500
Subject: Numerous Problems with PHP-openid on RHEL
In-Reply-To: <45C98895.7070503@radagast.biz>
References: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
	<45C98895.7070503@radagast.biz>
Message-ID: <cde76b2e0702070654q50b4c00fk8103c184203a053c@mail.gmail.com>

Thanks for your reply.  My installation of PHP is *not* in safe_mode.
I have verified that /dev/urandom is globally readable and I even
tried putting urandom in the include path in php.ini, no luck.  I'm
trying to stay away from the pseudorandom null option as the code
seems so adamantly against doing it.

I've tried:

     define('Auth_OpenID_RAND_SOURCE', 'null');
     define('Auth_OpenID_RAND_SOURCE', null);
     define('Auth_OpenID_RAND_SOURCE', NULL);

on line 23 and none of those worked.  I even tried setting this
outside of the if clause.  I went down a few lines in the CryptUtil
and commented out the trigger_error.  Am I setting Auth_OpenID in the
wrong place?

Thanks for the md5 suggestion, I had tried putting my password in a
file and handing it to md5sum but that didn't work.  Probably the EOL
or EOF.

With the commented out "trigger_error" I pass the "Associate (DH-SHA1
session)" test.

I'm using "www.domain.com" as my ID, with the following info at the
top of www.domain.com/index.php

<link rel="openid.server" href="http://www.domain.com/openid/index.php/serve">
<link rel="openid.delegate" href="http://www.domain.com/openid/?user=dekker">

That was copied directly from the openid welcome page after I log in.

If I try to test the "Successful check_id setup" I am taken to my
openid login page

http://www.domain.com/openid/?action=login&next_action=trust

With the following warning above the login box:

"You've tried to authenticate using a URL this server does not manage
(http://www.domain.com/openid/?user=dekker). If you are using your own
identity page, there may be a typo in the URL."

If I copy that URL directly into my browser I am taken to:

"OpenID Identity Page     This is the identity page for the user dekker"

Why does my openid server claim it does not manage me?

Dekker Dreyer

On 2/7/07, Kevin Jardine <kevin at radagast.biz> wrote:
>
> Dekker Dreyer wrote:
>
> >
> > How can I fix the randomness issue?
>
> Hi Dekker,
>
> Even though your system may have a urandom file, does your script
> actually have the authority to access it? I suspect that it would not if
> you were running PHP in safe mode, for example, or if the read
> permissions on /dev/urandom were not universal.
>
> If you continue having trouble, then I suggest that you follow the
> suggestion in the code and set Auth_OpenID_RAND_SOURCE to null.
>
> Cheers,
> Kevin
>
> --
> Kevin Jardine
> Radagast Solutions
>
> Internet campaign advice and magic
> http://radagast.biz
>
> YIM: kevinjardine
> Skype: kevinjardine
> Eml: kevin at radagast.biz
> Tel: +31 (0)6 25581608
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>


From josh at janrain.com  Wed Feb  7 11:21:06 2007
From: josh at janrain.com (Josh Hoyt)
Date: Wed, 7 Feb 2007 11:21:06 -0800
Subject: Numerous Problems with PHP-openid on RHEL
In-Reply-To: <5b698f5a0702062359l2c0c99d4p68f0491b6be506c2@mail.gmail.com>
References: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
	<5b698f5a0702062359l2c0c99d4p68f0491b6be506c2@mail.gmail.com>
Message-ID: <34714aad0702071121x1355ccc3p48d842d3e9b3e20@mail.gmail.com>

On 2/6/07, Norman Rasmussen <norman at rasmussen.co.za> wrote:
> On 2/7/07, Dekker Dreyer <dekkerdreyer at gmail.com> wrote:
> > "Fatal error: Define Auth_OpenID_RAND_SOURCE as null to continue with
> > an insecure random number generator. in
> > /usr/local/lib/php/Auth/OpenID/CryptUtil.php on line 53"
> > How can I fix the randomness issue?
>
> in config.php add:
>
> define('Auth_OpenID_RAND_SOURCE', null);

I don't have the answer right now, but I know that that answer not it,
unless you're on a machine where PHP *actually* doesn't have access to
a good randomness source. Windows is the only platform where this has
been reported. Windows does have a good randomness source available,
but it requires making several Windows API calls and PHP does not
provide access to it.

You can set your randomness source to null if you just want it to work
and you are running an application where security is not at all
important. If you do this, it will use a pseudo-random sequence (the
default PHP random calls) that is relatively easily cracked. This is
why you have to explicitly tell it that you want an insecure source of
randomness.

I'll try to see if I can figure out why it's failing for you, but
we're not PHP experts here, nor do we run Red Hat (though we are a
Linux shop). Can you supply more information about your PHP build so
that we can try to replicate the problem?

Josh


From dekkerdreyer at gmail.com  Wed Feb  7 16:03:18 2007
From: dekkerdreyer at gmail.com (Dekker Dreyer)
Date: Wed, 7 Feb 2007 19:03:18 -0500
Subject: Numerous Problems with PHP-openid on RHEL
In-Reply-To: <34714aad0702071121x1355ccc3p48d842d3e9b3e20@mail.gmail.com>
References: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
	<5b698f5a0702062359l2c0c99d4p68f0491b6be506c2@mail.gmail.com>
	<34714aad0702071121x1355ccc3p48d842d3e9b3e20@mail.gmail.com>
Message-ID: <cde76b2e0702071603t30713d0btd0057ef513cae517@mail.gmail.com>

Please note where I showed that setting it to "null" still causes it
to abort unless I comment out the trigger_error line.

I verified that @fopen('/dev/urandom','r') works from the command
prompt but not from the webserver.  There are no displayed errors.

If I remove the pointer and just use "fopen" instead of "@fopen" I get
an "open_basedir restriction in effect" telling me that I can't open
/dev/urandom.  I don't know why "fopen" vocally fails but "@fopen"
does not.

>From there I was able to chase down where the open_basedir is assigned
in the httpd.conf (not in the php.ini file) and add /dev/urandom.  Now
I can correctly associate the DH-SHA1 session (without commenting out
the trigger_error).

I still have the problem when I try the "Successful checkid_setup"
test.  I get the red text cell which says, "You've tried to
authenticate using a URL this server does not manage"

Dekker Dreyer

On 2/7/07, Josh Hoyt <josh at janrain.com> wrote:
> On 2/6/07, Norman Rasmussen <norman at rasmussen.co.za> wrote:
> > On 2/7/07, Dekker Dreyer <dekkerdreyer at gmail.com> wrote:
> > > "Fatal error: Define Auth_OpenID_RAND_SOURCE as null to continue with
> > > an insecure random number generator. in
> > > /usr/local/lib/php/Auth/OpenID/CryptUtil.php on line 53"
> > > How can I fix the randomness issue?
> >
> > in config.php add:
> >
> > define('Auth_OpenID_RAND_SOURCE', null);
>
> I don't have the answer right now, but I know that that answer not it,
> unless you're on a machine where PHP *actually* doesn't have access to
> a good randomness source. Windows is the only platform where this has
> been reported. Windows does have a good randomness source available,
> but it requires making several Windows API calls and PHP does not
> provide access to it.
>
> You can set your randomness source to null if you just want it to work
> and you are running an application where security is not at all
> important. If you do this, it will use a pseudo-random sequence (the
> default PHP random calls) that is relatively easily cracked. This is
> why you have to explicitly tell it that you want an insecure source of
> randomness.
>
> I'll try to see if I can figure out why it's failing for you, but
> we're not PHP experts here, nor do we run Red Hat (though we are a
> Linux shop). Can you supply more information about your PHP build so
> that we can try to replicate the problem?
>
> Josh
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>


From cygnus at janrain.com  Wed Feb  7 16:10:08 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Wed, 7 Feb 2007 16:10:08 -0800
Subject: Numerous Problems with PHP-openid on RHEL
In-Reply-To: <cde76b2e0702071603t30713d0btd0057ef513cae517@mail.gmail.com>
References: <cde76b2e0702062318qd742429gfbc3b80279fd6937@mail.gmail.com>
	<5b698f5a0702062359l2c0c99d4p68f0491b6be506c2@mail.gmail.com>
	<34714aad0702071121x1355ccc3p48d842d3e9b3e20@mail.gmail.com>
	<cde76b2e0702071603t30713d0btd0057ef513cae517@mail.gmail.com>
Message-ID: <20070208001008.GT4082@janrain.com>

# If I remove the pointer and just use "fopen" instead of "@fopen" I
# get an "open_basedir restriction in effect" telling me that I can't
# open /dev/urandom.  I don't know why "fopen" vocally fails but
# "@fopen" does not.

"@fopen" does fail, but the only difference is that "@" "silences" the
failure so no error is printed to the HTTP response stream or anywhere
else.  "@" does not change the behavior of the thing it silences in
any other way.

  http://www.devguru.com/technologies/php/6033.asp

  (I'd include a reference to the official PHP manual, but as usual it
  is woefully inadequate.)

# From there I was able to chase down where the open_basedir is
# assigned in the httpd.conf (not in the php.ini file) and add
# /dev/urandom.  Now I can correctly associate the DH-SHA1 session
# (without commenting out the trigger_error).

We should add a note about this to our library README.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From dekkerdreyer at gmail.com  Wed Feb  7 19:57:10 2007
From: dekkerdreyer at gmail.com (Dekker Dreyer)
Date: Wed, 7 Feb 2007 22:57:10 -0500
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
Message-ID: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>

When I log into the openid server and look at my sites I get two errors:

Warning: Cannot use a scalar value as an array in
/home/dekker/open_id/src/render.php on line 119
Warning: Cannot use a scalar value as an array in
/home/dekker/open_id/src/render.php on line 124

I also show 2 trusted sites with only a single letter name and 6
untrusted sites with no name.  Trying to do anything on that page,
such as "delete", gives me a green box that says "Settings saved" but
nothing changes.

If I go into mysql and manually delete all the associations in the
"oid_associations" table, logoff and log back into openid, all those
servers are still listed.  Mysql still has an empty oid_associations
table.  Purging the templates_c cache doesn't change anything.

Using print_r to dump the $sites array (which appears to give the
problems above) shows errors mixed in the array:

DB Error: no such table [userinfo]
[nativecode=1146 ** Table 'dekker_openid.sites' doesn't exist]

the openid database has the following tables:

"accounts" "oid_associations" "oid_nonces" "oid_settings" "personas"
"personas_id_seq"

No user-centric tables were created.

The "accounts" table does have an entry for dekker.  Deleting the
account "dekker" through the admin login does remove it from the
"accounts" table.  I tried adding "dekker" and a "test" account and
neither of them had their own tables created, but they did appear in
the "accounts" table.

How can I fix this?

Dekker Dreyer


From norman at rasmussen.co.za  Thu Feb  8 01:59:09 2007
From: norman at rasmussen.co.za (Norman Rasmussen)
Date: Thu, 8 Feb 2007 11:59:09 +0200
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
Message-ID: <5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>

I found that the MySql automatic creation scripts hardcoded into the
library failed because of my syntax, etc.

I ended up copying them out and creating the tables manually.  (There
should be three)

On 2/8/07, Dekker Dreyer <dekkerdreyer at gmail.com> wrote:
> When I log into the openid server and look at my sites I get two errors:
>
> Warning: Cannot use a scalar value as an array in
> /home/dekker/open_id/src/render.php on line 119
> Warning: Cannot use a scalar value as an array in
> /home/dekker/open_id/src/render.php on line 124
>
> I also show 2 trusted sites with only a single letter name and 6
> untrusted sites with no name.  Trying to do anything on that page,
> such as "delete", gives me a green box that says "Settings saved" but
> nothing changes.
>
> If I go into mysql and manually delete all the associations in the
> "oid_associations" table, logoff and log back into openid, all those
> servers are still listed.  Mysql still has an empty oid_associations
> table.  Purging the templates_c cache doesn't change anything.
>
> Using print_r to dump the $sites array (which appears to give the
> problems above) shows errors mixed in the array:
>
> DB Error: no such table [userinfo]
> [nativecode=1146 ** Table 'dekker_openid.sites' doesn't exist]
>
> the openid database has the following tables:
>
> "accounts" "oid_associations" "oid_nonces" "oid_settings" "personas"
> "personas_id_seq"
>
> No user-centric tables were created.
>
> The "accounts" table does have an entry for dekker.  Deleting the
> account "dekker" through the admin login does remove it from the
> "accounts" table.  I tried adding "dekker" and a "test" account and
> neither of them had their own tables created, but they did appear in
> the "accounts" table.
>
> How can I fix this?
>
> Dekker Dreyer
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


From dekkerdreyer at gmail.com  Thu Feb  8 09:22:43 2007
From: dekkerdreyer at gmail.com (Dekker Dreyer)
Date: Thu, 8 Feb 2007 12:22:43 -0500
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
	<5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
Message-ID: <cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>

Thanks Norman, looks like there are a few bugs in the storage.php file.

Errors found in mysql table creation:

**
CREATE TABLE identities (id INTEGER AUTO_INCREMENT NOT NULL PRIMARY
KEY, account VARCHAR(255) NOT NULL, url TEXT NOT NULL, UNIQUE
(account, url(255)))

#1071 - Specified key was too long. Max key length is 500

Setting the account and url lengths both to 249 fixed this.

**
CREATE TABLE sites (account VARCHAR(255) NOT NULL, trust_root TEXT,
trusted BOOLEAN, UNIQUE (account, trust_root(255)))

Change "BOOLEAN" to "BOOL" and drop the lengths to 249.
**

This allows me to continue past the second test.  I also see my
trusted sites properly when I log in as a user.

Dekker Dreyer

On 2/8/07, Norman Rasmussen <norman at rasmussen.co.za> wrote:
> I found that the MySql automatic creation scripts hardcoded into the
> library failed because of my syntax, etc.
>
> I ended up copying them out and creating the tables manually.  (There
> should be three)
>
> On 2/8/07, Dekker Dreyer <dekkerdreyer at gmail.com> wrote:
> > When I log into the openid server and look at my sites I get two errors:
> >
> > Warning: Cannot use a scalar value as an array in
> > /home/dekker/open_id/src/render.php on line 119
> > Warning: Cannot use a scalar value as an array in
> > /home/dekker/open_id/src/render.php on line 124
> >
> > I also show 2 trusted sites with only a single letter name and 6
> > untrusted sites with no name.  Trying to do anything on that page,
> > such as "delete", gives me a green box that says "Settings saved" but
> > nothing changes.
> >
> > If I go into mysql and manually delete all the associations in the
> > "oid_associations" table, logoff and log back into openid, all those
> > servers are still listed.  Mysql still has an empty oid_associations
> > table.  Purging the templates_c cache doesn't change anything.
> >
> > Using print_r to dump the $sites array (which appears to give the
> > problems above) shows errors mixed in the array:
> >
> > DB Error: no such table [userinfo]
> > [nativecode=1146 ** Table 'dekker_openid.sites' doesn't exist]
> >
> > the openid database has the following tables:
> >
> > "accounts" "oid_associations" "oid_nonces" "oid_settings" "personas"
> > "personas_id_seq"
> >
> > No user-centric tables were created.
> >
> > The "accounts" table does have an entry for dekker.  Deleting the
> > account "dekker" through the admin login does remove it from the
> > "accounts" table.  I tried adding "dekker" and a "test" account and
> > neither of them had their own tables created, but they did appear in
> > the "accounts" table.
> >
> > How can I fix this?
> >
> > Dekker Dreyer
> >
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.openidenabled.com
> > http://lists.openidenabled.com/mailman/listinfo/dev
> >
>
>
> --
> - Norman Rasmussen
>  - Email: norman at rasmussen.co.za
>  - Home page: http://norman.rasmussen.co.za/
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>


From cygnus at janrain.com  Thu Feb  8 09:34:30 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Thu, 8 Feb 2007 09:34:30 -0800
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
	<5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
	<cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>
Message-ID: <20070208173429.GW4082@janrain.com>

# Thanks Norman, looks like there are a few bugs in the storage.php
# file.
# 
# Errors found in mysql table creation:
# 
# **
# CREATE TABLE identities (id INTEGER AUTO_INCREMENT NOT NULL PRIMARY
# KEY, account VARCHAR(255) NOT NULL, url TEXT NOT NULL, UNIQUE
# (account, url(255)))
# 
# #1071 - Specified key was too long. Max key length is 500

Actually, this is a bug in MySQL.  I plan on fixing this and doing a
bugfix release today.  This bug has bitten several people.

At any rate, I'm glad you knew what to do to fix it.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From norman at rasmussen.co.za  Fri Feb  9 00:48:39 2007
From: norman at rasmussen.co.za (Norman Rasmussen)
Date: Fri, 9 Feb 2007 10:48:39 +0200
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <20070208173429.GW4082@janrain.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
	<5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
	<cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>
	<20070208173429.GW4082@janrain.com>
Message-ID: <5b698f5a0702090048ve356cffhd394d0aaaabb7388@mail.gmail.com>

On 2/8/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> # Thanks Norman, looks like there are a few bugs in the storage.php
> # file.
> Actually, this is a bug in MySQL.  I plan on fixing this and doing a
> bugfix release today.  This bug has bitten several people.
>
> At any rate, I'm glad you knew what to do to fix it.

Cool, I found out the hard way :-)

btw: Do you mean to force the database tables to be InnoDB.  Maybe the
tables should be created using the server default, or is there a
particulay good reason for using InnoDB, like ACID, and better
performance on large databases?

-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


From audra at audrajohnson.com  Fri Feb  9 03:30:36 2007
From: audra at audrajohnson.com (Audra Johnson)
Date: Fri, 9 Feb 2007 03:30:36 -0800
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
Message-ID: <4CA687D5-5DA1-4D7A-BE6E-9F8830CCDE9D@audrajohnson.com>

#1 -- Services/Yadis/Yadis.php needs to be included in detect.php

Right now, out of the box, it gives an error like this:

Fatal error: Class 'Services_Yadis_Yadis' not found in ~/openid/ 
original/examples/detect.php on line 385

Which can be fixed by including the line

  include 'Services/Yadis/Yadis.php';

Around line 447.  Diff: http://audrajohnson.com/openid/detect.diff

#2 & 3 -- The ParseHTML.php has some problems

I was running into a lot of problems with certain LiveJournal users  
being unable to verify because the parser wasn't finding the X-XRDS- 
Location meta tag (which existed), and they revealed some issues with  
the HTML parser under PHP 5.2.0 (but not 4.4.4).  Upping the  
pcre.recursion_limit and pcre.backtrack_limit settings from 100,000  
to 160,000 seemed to do the trick on most of them, although not all,  
but that solution made me uncomfortable--those settings have never  
been too restrictive on me before, and so I did some monkeying around  
with the file and ended up adding one line and changing another.  I'm  
pretty sure one of these is a bug, although the other may not be.   
The diff is here:  http://audrajohnson.com/openid/ParseHTML.diff

The first line changed is:

     var $_close_tag_expr = "<\/?%s\s*>";

to

     var $_close_tag_expr = "<\/%s\s*>";

Because under some conditions the parser would be mysteriously  
discarding lots more than it should with the first line when trying  
to parse out the body close tag, and I figured that if it was  
supposed to be a regular expression for a *closing* tag, then the /  
was not optional.  If the HTML was malformed and there were somehow  
two open body links, I think the second regex looking for the first  
open body would discard the rest of the mangled stuff anyhow.  I'm  
not sure if this one is a bug, though, because the ? in the regex  
might be there for a reason I'm not thinking about due to inexperience.

The second change is an added line right about this area:

$stripped = preg_replace($this->_removed_re,
                                  "",
                                  $html_string);
$html_string = $stripped;

Although I think it could just as easily be replaced with.

$html_string = preg_replace($this->_removed_re,
                                  "",
                                  $html_string);

I'm pretty sure this one is a bug because the parser was going to all  
of the work of stripping out comments, CDATA, and script tags and  
never using the results, which just seems weird.

These changes made all the journals I was having trouble with work  
and get to the second stage where they were redirected to  
LiveJournal, without having to raise PHP's preg limit settings.


From dekkerdreyer at gmail.com  Fri Feb  9 05:45:26 2007
From: dekkerdreyer at gmail.com (Dekker Dreyer)
Date: Fri, 9 Feb 2007 08:45:26 -0500
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <5b698f5a0702090048ve356cffhd394d0aaaabb7388@mail.gmail.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
	<5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
	<cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>
	<20070208173429.GW4082@janrain.com>
	<5b698f5a0702090048ve356cffhd394d0aaaabb7388@mail.gmail.com>
Message-ID: <cde76b2e0702090545t6738d1e9r158e85f9b395af6c@mail.gmail.com>

It also creates PRIMARY and KEY indexes for some of the tables - which
is redundant.

Dekker Dreyer

On 2/9/07, Norman Rasmussen <norman at rasmussen.co.za> wrote:
> On 2/8/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> > # Thanks Norman, looks like there are a few bugs in the storage.php
> > # file.
> > Actually, this is a bug in MySQL.  I plan on fixing this and doing a
> > bugfix release today.  This bug has bitten several people.
> >
> > At any rate, I'm glad you knew what to do to fix it.
>
> Cool, I found out the hard way :-)
>
> btw: Do you mean to force the database tables to be InnoDB.  Maybe the
> tables should be created using the server default, or is there a
> particulay good reason for using InnoDB, like ACID, and better
> performance on large databases?
>
> --
> - Norman Rasmussen
>  - Email: norman at rasmussen.co.za
>  - Home page: http://norman.rasmussen.co.za/
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>


From cygnus at janrain.com  Fri Feb  9 07:39:58 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Fri, 9 Feb 2007 07:39:58 -0800
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <cde76b2e0702090545t6738d1e9r158e85f9b395af6c@mail.gmail.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
	<5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
	<cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>
	<20070208173429.GW4082@janrain.com>
	<5b698f5a0702090048ve356cffhd394d0aaaabb7388@mail.gmail.com>
	<cde76b2e0702090545t6738d1e9r158e85f9b395af6c@mail.gmail.com>
Message-ID: <20070209153958.GZ4082@janrain.com>

# It also creates PRIMARY and KEY indexes for some of the tables -
# which is redundant.

No, "PRIMARY KEY" is the SQL phrase used for such keys.  "KEY" is
valid alone, but that is only true of MySQL 4.1 and later.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From cygnus at janrain.com  Fri Feb  9 07:42:42 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Fri, 9 Feb 2007 07:42:42 -0800
Subject: Errors in PHP server when looking at my sites - looks like
	user-centric tables are not being created.
In-Reply-To: <5b698f5a0702090048ve356cffhd394d0aaaabb7388@mail.gmail.com>
References: <cde76b2e0702071957x5c02ce10k4d9f3898fcfa5d96@mail.gmail.com>
	<5b698f5a0702080159n4217e906r18b4cbe436624595@mail.gmail.com>
	<cde76b2e0702080922p6f647914ofda014452046ff92@mail.gmail.com>
	<20070208173429.GW4082@janrain.com>
	<5b698f5a0702090048ve356cffhd394d0aaaabb7388@mail.gmail.com>
Message-ID: <20070209154242.GA4082@janrain.com>

# btw: Do you mean to force the database tables to be InnoDB.  Maybe
# the tables should be created using the server default, or is there a
# particulay good reason for using InnoDB, like ACID, and better
# performance on large databases?

If the server supports InnoDB, yes, it should be used for ACIDity in
particular.  The server software does not make heavy use of
transactions, but they're used by the association storage code.  You
can change the table type if your server isn't configured to support
InnoDB (for a long time, maintainers didn't), and you'd be no worse
off than you are with any other apps running on MyISAM.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From j at justinburger.com  Sun Feb 11 11:56:10 2007
From: j at justinburger.com (Justin Burger)
Date: Sun, 11 Feb 2007 11:56:10 -0800
Subject: MyOpenID.com, mapped to another domain.
Message-ID: <2705B1B2-4C19-4F52-BFFF-B6B29FA42CCB@justinburger.com>

Hi,
I had a user email in this week and say that they had their openID (a  
myopenID) mapped to their own personal domain, but when they  
attempted to login to my site with the personal domain the response  
my site got was their myopenID, NOT their domain.

I confirmed this; is there another field that show's delegates?

I am using the PHP openID lib. I'm sure this issue has came up in the  
past.


Thanks,
Justin Burger.



From josh at janrain.com  Sun Feb 11 12:19:29 2007
From: josh at janrain.com (Josh Hoyt)
Date: Sun, 11 Feb 2007 12:19:29 -0800
Subject: MyOpenID.com, mapped to another domain.
In-Reply-To: <2705B1B2-4C19-4F52-BFFF-B6B29FA42CCB@justinburger.com>
References: <2705B1B2-4C19-4F52-BFFF-B6B29FA42CCB@justinburger.com>
Message-ID: <34714aad0702111219kcc1f08k6bd96b9cd23fdfeb@mail.gmail.com>

Justin,

On 2/11/07, Justin Burger <j at justinburger.com> wrote:
> I had a user email in this week and say that they had their openID (a
> myopenID) mapped to their own personal domain, but when they
> attempted to login to my site with the personal domain the response
> my site got was their myopenID, NOT their domain.
>
> I confirmed this; is there another field that show's delegates?

In OpenID 1 (the currently deployed version), the MyOpenID URL is the
only one that should be present in the response. It's the
responsibility of the OpenID Consumer to keep track of the original
identifier and restore it after it gets a response from the OpenID
server via the return URL. The JanRain OpenID libraries all try to
take care of this bookkeeping and insulate the application from these
details.

Was the user who you were trying to help then *logged in* as their
MyOpenID URL? If so, this is definitely a bug.

> I am using the PHP openID lib. I'm sure this issue has came up in the
> past.

So far we have not heard of any problems related to the library not
using delegated URLs correctly.

Hope that helps,
Josh Hoyt <josh at janrain.com>


From j at justinburger.com  Sun Feb 11 12:24:05 2007
From: j at justinburger.com (Justin Burger)
Date: Sun, 11 Feb 2007 12:24:05 -0800
Subject: MyOpenID.com, mapped to another domain.
In-Reply-To: <34714aad0702111219kcc1f08k6bd96b9cd23fdfeb@mail.gmail.com>
References: <2705B1B2-4C19-4F52-BFFF-B6B29FA42CCB@justinburger.com>
	<34714aad0702111219kcc1f08k6bd96b9cd23fdfeb@mail.gmail.com>
Message-ID: <B71691AF-F7A7-4CE3-82A0-C4EF1492CB7C@justinburger.com>

Correct;

The He attempted to login with his delegate, but my site received  
back his myopenID username, NOT his domain that he originally  
attempted to login with.

On Feb 11, 2007, at 12:19 PM, Josh Hoyt wrote:

> Justin,
>
> On 2/11/07, Justin Burger <j at justinburger.com> wrote:
>> I had a user email in this week and say that they had their openID (a
>> myopenID) mapped to their own personal domain, but when they
>> attempted to login to my site with the personal domain the response
>> my site got was their myopenID, NOT their domain.
>>
>> I confirmed this; is there another field that show's delegates?
>
> In OpenID 1 (the currently deployed version), the MyOpenID URL is the
> only one that should be present in the response. It's the
> responsibility of the OpenID Consumer to keep track of the original
> identifier and restore it after it gets a response from the OpenID
> server via the return URL. The JanRain OpenID libraries all try to
> take care of this bookkeeping and insulate the application from these
> details.
>
> Was the user who you were trying to help then *logged in* as their
> MyOpenID URL? If so, this is definitely a bug.
>
>> I am using the PHP openID lib. I'm sure this issue has came up in the
>> past.
>
> So far we have not heard of any problems related to the library not
> using delegated URLs correctly.
>
> Hope that helps,
> Josh Hoyt <josh at janrain.com>
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev



From josh at janrain.com  Sun Feb 11 13:57:07 2007
From: josh at janrain.com (Josh Hoyt)
Date: Sun, 11 Feb 2007 13:57:07 -0800
Subject: MyOpenID.com, mapped to another domain.
In-Reply-To: <B71691AF-F7A7-4CE3-82A0-C4EF1492CB7C@justinburger.com>
References: <2705B1B2-4C19-4F52-BFFF-B6B29FA42CCB@justinburger.com>
	<34714aad0702111219kcc1f08k6bd96b9cd23fdfeb@mail.gmail.com>
	<B71691AF-F7A7-4CE3-82A0-C4EF1492CB7C@justinburger.com>
Message-ID: <34714aad0702111357k632e190dq6c89defb294c4166@mail.gmail.com>

On 2/11/07, Justin Burger <j at justinburger.com> wrote:
> The He attempted to login with his delegate, but my site received
> back his myopenID username, NOT his domain that he originally
> attempted to login with.

Since we've not run into this before, can you give us some details
about your installation and the transaction? As much of the following
as possible:
 * The uer's URL that they used to try to sign in
 * If it's public, the site that you are running
 * The browser that that user is using
 * Your platform:
   * PHP version
   * OpenID library version
   * The application that's using the library

Do you know if this person has had this problem with other sites as well?

Josh


From atrus at atrus.org  Tue Feb 13 21:38:32 2007
From: atrus at atrus.org (Nikolas Coukouma)
Date: Wed, 14 Feb 2007 00:38:32 -0500
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php
	in OpenID's examples  
Message-ID: <45D2A058.2000604@atrus.org>

Audra Johnson wrote:
> #1 -- Services/Yadis/Yadis.php needs to be included in detect.php
> Which can be fixed by including the line
> 
>   include 'Services/Yadis/Yadis.php';

The other files included by detect.php are checked for errors. While
$_file3 could be added, a loop seems like the better solution.
http://www.atrus.org/hosted/openid/php/1.2.1/fix-detect.diff

I used the "shut up operator" to silence warnings. The lack of this in
the original might have been so that warnings would be printed, but they
shouldn't be relied upon... It might make sense to list the missing files.
http://www.atrus.org/hosted/openid/php/1.2.1/fix-detect2.diff

> #2 & 3 -- The ParseHTML.php has some problems
> 
> I was running into a lot of problems with certain LiveJournal users  
> being unable to verify because the parser wasn't finding the X-XRDS- 
> Location meta tag (which existed), and they revealed some issues with  
> the HTML parser under PHP 5.2.0 (but not 4.4.4).
Prior to PHP version 5.2.0, there wasn't a pcre.recursion_limit or
pcre.backtrack_limit. Both of these correspond to PCRE limits
(recursion_limit corresponds to PCRE_EXTRA_MATCH_LIMIT_RECURSION and
backtrack_limit to PCRE_EXTRA_MATCH_LIMIT) that can be set at compile
time (usually aren't) or at run-time (not by default). So, PHP 5.2.0+
adds limits that weren't there before. The default is to keep recursing
until there's no more stack space and backtrack as much as needed.

>  Upping the  
> pcre.recursion_limit and pcre.backtrack_limit settings from 100,000  
> to 160,000 seemed to do the trick on most of them, although not all,  
> but that solution made me uncomfortable--those settings have never  
> been too restrictive on me before, and so I did some monkeying around  
> with the file and ended up adding one line and changing another.  I'm  
> pretty sure one of these is a bug, although the other may not be.   
> The diff is here:  http://audrajohnson.com/openid/ParseHTML.diff
I took a look at this and ended up doing a major overhaul.
http://www.atrus.org/hosted/openid/php/1.2.1/fix-parser.diff

because the changes are so massive, here's the new file for easier viewing:
http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.txt
http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.phps

Without any alteration, ParseHTML.php works on
http://missbabyblue.livejournal.com/
with pcre.recursion_limit and pcre.backtrack_limit set 7000. With
Audra's minor changes, it requires about 5000 (1.4x improvement). Using
my overhaul, it works as low as 200 (35x improvement).

I did my tests with:
PHP Version 5.2.1 (cli)
PCRE Library Version 6.7 04-Jul-2006

I'm not sure why there's such a discrepancy between her values and mine.

Regards,
-Nikolas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070214/c9320e00/attachment-0001.pgp 

From cygnus at janrain.com  Wed Feb 14 11:04:36 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Wed, 14 Feb 2007 11:04:36 -0800
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
In-Reply-To: <45D2A058.2000604@atrus.org>
References: <45D2A058.2000604@atrus.org>
Message-ID: <20070214190436.GN4082@janrain.com>

# Audra Johnson wrote:
# > #1 -- Services/Yadis/Yadis.php needs to be included in detect.php
# > Which can be fixed by including the line
# > 
# >   include 'Services/Yadis/Yadis.php';
# 
# The other files included by detect.php are checked for errors. While
# $_file3 could be added, a loop seems like the better solution.
# http://www.atrus.org/hosted/openid/php/1.2.1/fix-detect.diff

Actually, Services/Yadis/Yadis.php isn't listed because the Yadis code
is no longer distributed as a separate package.  Incidentally, it's
still a good idea to make sure it's installed, because if users don't
use PEAR to install the package, the Services/ directory might be
missed.  Another possibility is that the PEAR installer is broken,
which has happened frequently.

Thank you for the patch!

# I used the "shut up operator" to silence warnings. The lack of this
# in the original might have been so that warnings would be printed,
# but they shouldn't be relied upon... It might make sense to list the
# missing files.

Thanks again.

# > Upping the pcre.recursion_limit and pcre.backtrack_limit settings
# > from 100,000 to 160,000 seemed to do the trick on most of them,
# > although not all, but that solution made me uncomfortable--those
# > settings have never been too restrictive on me before, and so I
# > did some monkeying around with the file and ended up adding one
# > line and changing another.  I'm pretty sure one of these is a bug,
# > although the other may not be.  The diff is here:
# > http://audrajohnson.com/openid/ParseHTML.diff

Thanks for the detailed explanation.

# because the changes are so massive, here's the new file for easier
# viewing:
# http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.txt
# http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.phps
# 
# Without any alteration, ParseHTML.php works on
# http://missbabyblue.livejournal.com/
# with pcre.recursion_limit and pcre.backtrack_limit set 7000. With
# Audra's minor changes, it requires about 5000 (1.4x
# improvement). Using my overhaul, it works as low as 200 (35x
# improvement).
# 
# I did my tests with:
# PHP Version 5.2.1 (cli)
# PCRE Library Version 6.7 04-Jul-2006

That's great.  I'd be very happy to see these improvements integrated.
Thanks for your work on this!

I installed your ParseHTML code and ran our test suite.  The tests
failed when parsing the following four HTML documents, with expected
results indicated.  The code returned "found" in all four cases,
whereas the expected return was null.

  1. <meta http-equiv="X-XRDS-Location" content="found">

     Expected result: nothing, as there is no HTML or HEAD tag.

  2. <html><meta http-equiv="X-XRDS-Location" content="found">

     Expected result: nothing, as there is no HEAD tag.

  3. <head><html><meta http-equiv="X-XRDS-Location" content="found">

     Expected result: nothing, since the tags are reversed.

  4. <html><head/>
     <meta http-equiv="X-XRDS-Location" content="found">

     Expected result: nothing, as the head tag is empty.

I can eventually get around to debugging these, but in the mean time
you can run the test suite on the HTML parsing tests in particular by
running:

  openid$ php admin/texttest.php ParseHTML

You'll get some output like:

  ==========================================
  Test suite: Tests_Services_Yadis_Parse
  ------------------------------------------
  ..............FF.F..F..
  Ran 23 tests in 0.029 seconds with 0 errors, 4 failures
  ==========================================

(in addition to details about the tests which failed.)

You'll need PHPUnit 1.x to run the tests.  I currently use 1.3.2.
(That's ancient, but we've had trouble with newer versions.)

If there's anything else I can do, let me know.  Thanks again!

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From atrus at atrus.org  Wed Feb 14 17:35:12 2007
From: atrus at atrus.org (Nikolas Coukouma)
Date: Wed, 14 Feb 2007 20:35:12 -0500
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
In-Reply-To: <20070214190436.GN4082@janrain.com>
References: <45D2A058.2000604@atrus.org> <20070214190436.GN4082@janrain.com>
Message-ID: <b0d39bf00702141735j2cbf1e58hdbd63a6dd7ad6950@mail.gmail.com>

On 2/14/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> I installed your ParseHTML code and ran our test suite.  The tests
> failed when parsing the following four HTML documents, with expected
> results indicated.  The code returned "found" in all four cases,
> whereas the expected return was null.

I don't think these four tests are sensible. The original parser falls
far short of actually ensuring validity (e.g. allows the omission of
opening <html> and doesn't check Content-Type header). It doesn't seem
right for a basic Yadis implementation to act as a validator anyway.
My parser does enough to prevent abuse (e.g. posting a meta tag in a
blog comment) and favors speed in the vast majority of cases over more
thorough checking.

I can make the modifications needed for it to pass the test, but I
thought I'd at least explain why before I spent the time on it.

Cheers,
-Nikolas


From cygnus at janrain.com  Wed Feb 14 20:56:37 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Wed, 14 Feb 2007 20:56:37 -0800
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
In-Reply-To: <b0d39bf00702141735j2cbf1e58hdbd63a6dd7ad6950@mail.gmail.com>
References: <45D2A058.2000604@atrus.org> <20070214190436.GN4082@janrain.com>
	<b0d39bf00702141735j2cbf1e58hdbd63a6dd7ad6950@mail.gmail.com>
Message-ID: <20070215045636.GR4082@janrain.com>

# I don't think these four tests are sensible. The original parser
# falls far short of actually ensuring validity (e.g. allows the
# omission of opening <html> and doesn't check Content-Type header).

On the contrary, the point of those four tests (and others) is to
prevent the parser from letting me post a comment to someone's blog
with a META tag in it.  We don't want or need to enforce validity, but
we do need to be able to behave sanely in the presence of a
seriously-malformed document.  If the blog author's code generates a
document that looks like the four aforementioned cases and I post that
comment, the URL suddenly has one or more Yadis location
instructions.  Indeed, we'd love to get more test cases in there that
prevent the same kind of exploit.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From tinywizard.nz at gmail.com  Thu Feb 15 00:46:18 2007
From: tinywizard.nz at gmail.com (Phil Y)
Date: Thu, 15 Feb 2007 21:46:18 +1300
Subject: PHP and "OpenID authentication failed: Bad signature"
Message-ID: <ea3905600702150046h321353aem24990059788fcd26@mail.gmail.com>

Please can I request a feature to be added to detect.php.

I'm using php 4.3.9 on RH EL4, and the example program fails with the error
"OpenID authentication failed: Bad signature".

Can you please add a function to test the encryption functions of OpenID;
1. for a fixed assoc_handle, make sure secret key is correct.
2. for a test token_contents value, make sure the signature is calculated
correctly.

This little test would have saved me hours locating the cause of the
problem  (it works fine on a FC3 machine)

Cheers,
Phil.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070215/a063f71a/attachment.htm 

From kevin at radagast.biz  Thu Feb 15 01:10:43 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Thu, 15 Feb 2007 10:10:43 +0100
Subject: PHP and "OpenID authentication failed: Bad signature"
In-Reply-To: <ea3905600702150046h321353aem24990059788fcd26@mail.gmail.com>
References: <ea3905600702150046h321353aem24990059788fcd26@mail.gmail.com>
Message-ID: <45D42393.7030606@radagast.biz>


I agree that this would also be useful.

I also spent hours tracking down a "bad signature" problem that turned 
out to be caused by a bad GMP (integer math)library. Unfortunately, bad 
GMP libraries (or bad GMP bindings to PHP) are very common, as the GMP 
site itself admits: "It has come to the point where a compiler should be 
assumed to miscompile GMP", see http://www.swox.com/gmp/.

A bit of sanity checking when OpenID runs could make things much easier.

Cheers,
Kevin

Phil Y wrote:
> Please can I request a feature to be added to detect.php.
> 
> I'm using php 4.3.9 on RH EL4, and the example program fails with the error
> "OpenID authentication failed: Bad signature".
> 
> Can you please add a function to test the encryption functions of OpenID;
> 1. for a fixed assoc_handle, make sure secret key is correct.
> 2. for a test token_contents value, make sure the signature is calculated
> correctly.
> 
> This little test would have saved me hours locating the cause of the
> problem  (it works fine on a FC3 machine)
> 
> Cheers,
> Phil.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From patrick.stadler at amiado.com  Thu Feb 15 02:34:58 2007
From: patrick.stadler at amiado.com (Patrick Stadler)
Date: Thu, 15 Feb 2007 11:34:58 +0100
Subject: [Solved] Script timeout in Auth_OpenID_MathLibrary::rand()
Message-ID: <82452A9F-AD46-4F08-B922-C2A17F8E2193@amiado.com>

If your internal character encoding is set to UTF-8 the script might  
fail to generate keys for association.

Changing it to iso-8859-1 fixes the problem.

http://php.net/manual/en/function.mb-internal-encoding.php

Regs,
Patrick






From norman at rasmussen.co.za  Thu Feb 15 04:59:34 2007
From: norman at rasmussen.co.za (Norman Rasmussen)
Date: Thu, 15 Feb 2007 14:59:34 +0200
Subject: [Solved] Script timeout in Auth_OpenID_MathLibrary::rand()
In-Reply-To: <82452A9F-AD46-4F08-B922-C2A17F8E2193@amiado.com>
References: <82452A9F-AD46-4F08-B922-C2A17F8E2193@amiado.com>
Message-ID: <5b698f5a0702150459qfcc7e5dre7dc706dd8467f7b@mail.gmail.com>

On 2/15/07, Patrick Stadler <patrick.stadler at amiado.com> wrote:
> If your internal character encoding is set to UTF-8 the script might
> fail to generate keys for association.
> Changing it to iso-8859-1 fixes the problem.

On the host used for openid.xmpp.za.net, mb_internal_encoding() returns 'pass'.

I'm now forcing it to ISO-8859-1 in the config file, and we shall see
if it fixes the random log in failures.

-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


From josh at janrain.com  Thu Feb 15 06:38:25 2007
From: josh at janrain.com (Josh Hoyt)
Date: Thu, 15 Feb 2007 06:38:25 -0800
Subject: PHP and "OpenID authentication failed: Bad signature"
In-Reply-To: <ea3905600702150046h321353aem24990059788fcd26@mail.gmail.com>
References: <ea3905600702150046h321353aem24990059788fcd26@mail.gmail.com>
Message-ID: <34714aad0702150638o33ac4d55w188559f5685b4668@mail.gmail.com>

On 2/15/07, Phil Y <tinywizard.nz at gmail.com> wrote:
> Can you please add a function to test the encryption functions of OpenID;
> 1. for a fixed assoc_handle, make sure secret key is correct.
> 2. for a test token_contents value, make sure the signature is calculated
> correctly.

Oh, the joys of PHP. I'm glad that you managed to track down the problem.

I think that rather than trying to put in ad-hoc tests in the detect
script, we should make it easier to run the extensive unit test suite
(that already tests all the individual bits).

You can run it from the command line by running "php admin/runtests"
from the root of the unpacked sources.

Josh


From atrus at atrus.org  Fri Feb 16 02:40:33 2007
From: atrus at atrus.org (Nikolas Coukouma)
Date: Fri, 16 Feb 2007 05:40:33 -0500
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
In-Reply-To: <20070215045636.GR4082@janrain.com>
References: <45D2A058.2000604@atrus.org> <20070214190436.GN4082@janrain.com>
	<b0d39bf00702141735j2cbf1e58hdbd63a6dd7ad6950@mail.gmail.com>
	<20070215045636.GR4082@janrain.com>
Message-ID: <b0d39bf00702160240i2092eefdl78b6d995190ac76e@mail.gmail.com>

On 2/14/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> # I don't think these four tests are sensible. The original parser
> # falls far short of actually ensuring validity (e.g. allows the
> # omission of opening <html> and doesn't check Content-Type header).
>
> On the contrary, the point of those four tests (and others) is to
> prevent the parser from letting me post a comment to someone's blog
> with a META tag in it.  We don't want or need to enforce validity, but
> we do need to be able to behave sanely in the presence of a
> seriously-malformed document.  If the blog author's code generates a
> document that looks like the four aforementioned cases and I post that
> comment, the URL suddenly has one or more Yadis location
> instructions.  Indeed, we'd love to get more test cases in there that
> prevent the same kind of exploit.

I've done another overhaul to deal with all the cases present in the
library. This was made more troublesome due to PHPUnit 1.x no longer
being available. I actually wrote my own test script and copied and
pasted all the cases. I also wasn't aware that the test scripts needed
to be checked out of the repository. Fortunately I'm familiar with
Google and darcs, so it wasn't much trouble to find and get them. The
automatic test-on-record failed miserably with a spew of errors
unrelated to my code, so I had to pass in --no-test. Hopefully things
are better on your end.

I sent a darcs patch bundle, but here's links again:
http://www.atrus.org/hosted/openid/php/1.2.1/fix-parser2.diff
http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.phps
http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.txt

In addition to passing all existing test cases, it also adds some
additional automatic body detection (via common content tags, e.g. a,
p, div) and love for frames. Attribute parsing is also more flexible:
<html><head><meta http-equiv="X-XRDS-Location" content=fo"und></head></html>
old parser: fo
new: fo"und
Firefox produces the same result.

My test set:
http://www.atrus.org/hosted/openid/php/1.2.1/test.phps
http://www.atrus.org/hosted/openid/php/1.2.1/test.txt

(I was too lazy to deal with PHPUnit when something so simple would do)

Cheers,
-Nikolas


From atrus at atrus.org  Fri Feb 16 14:24:10 2007
From: atrus at atrus.org (Nikolas Coukouma)
Date: Fri, 16 Feb 2007 17:24:10 -0500
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
In-Reply-To: <b0d39bf00702160240i2092eefdl78b6d995190ac76e@mail.gmail.com>
References: <45D2A058.2000604@atrus.org> <20070214190436.GN4082@janrain.com>
	<b0d39bf00702141735j2cbf1e58hdbd63a6dd7ad6950@mail.gmail.com>
	<20070215045636.GR4082@janrain.com>
	<b0d39bf00702160240i2092eefdl78b6d995190ac76e@mail.gmail.com>
Message-ID: <b0d39bf00702161424l3a59ee00gc76d8e8c7ae1fa23@mail.gmail.com>

On 2/16/07, Nikolas Coukouma <atrus at atrus.org> wrote:
> I've done another overhaul to deal with all the cases present in the
> library.
(snip)
> I sent a darcs patch bundle, but here's links again:
> http://www.atrus.org/hosted/openid/php/1.2.1/fix-parser2.diff
> http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.phps
> http://www.atrus.org/hosted/openid/php/1.2.1/ParseHTML.txt
(snip)

I did some testing on LiveJournal and found that the original parser
failed miserably, even with the limits increased four million times
higher than the defaults (100000*4000000).

audra's:
spent 5.98336529732 seconds parsing
avg of 0.0274466298042 seconds per journal

my latest:
spent 0.746465682983 seconds parsing
avg of 0.0034241545091 seconds per journal

An order of magnitude improvement is nice.

Cheers,
-Nikolas


From cygnus at janrain.com  Fri Feb 16 15:15:01 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Fri, 16 Feb 2007 15:15:01 -0800
Subject: PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in
	OpenID's examples
In-Reply-To: <b0d39bf00702160240i2092eefdl78b6d995190ac76e@mail.gmail.com>
References: <45D2A058.2000604@atrus.org> <20070214190436.GN4082@janrain.com>
	<b0d39bf00702141735j2cbf1e58hdbd63a6dd7ad6950@mail.gmail.com>
	<20070215045636.GR4082@janrain.com>
	<b0d39bf00702160240i2092eefdl78b6d995190ac76e@mail.gmail.com>
Message-ID: <20070216231500.GA5256@janrain.com>

# I've done another overhaul to deal with all the cases present in the
# library.

Thanks!

# This was made more troublesome due to PHPUnit 1.x no longer being
# available.

It's available, but you kinda have to dig for it.

  http://pear.phpunit.de/get/

# The automatic test-on-record failed miserably with a spew of errors
# unrelated to my code, so I had to pass in --no-test. Hopefully
# things are better on your end.

The tests passed when I ran them.  If you could mail me the errors
off-list, I'd be glad to take a look and apply any fixes that would
help run the tests on other systems.

# I sent a darcs patch bundle, but here's links again:

Thanks for the darcs bundle.  It applied cleanly.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From tarmstrong at gmail.com  Tue Feb 20 02:45:23 2007
From: tarmstrong at gmail.com (thomas Armstrong)
Date: Tue, 20 Feb 2007 11:45:23 +0100
Subject: How to create a very simple script to test PHP library?
Message-ID: <bf4479300702200245q306e25daqfc009bd82bbbecfe@mail.gmail.com>

Hi.

With PHP 4.3.11 on Linux, I want to create a very simple script to
test the OpenID PHP library.

I did these steps:
[]# pear install
http://www.openidenabled.com/resources/downloads/php-openid/pear/Auth_OpenID-1.2.1.tgz
[]# pear install
http://www.openidenabled.com/resources/downloads/php-yadis/pear/Services_Yadis-1.0.2.tgz

I downloaded the tar.gz files from:
http://www.openidenabled.com/openid/libraries/php/download
http://www.openidenabled.com/yadis/libraries/php/download-php-yadis-library

I created two directories:
/home/tim/openid/
/home/tim/yadis/
with all the downloadeded contents.

And I created an Apache VirtualHost (http://openid) launching in
'/home/tim/openid/examples/', but when trying to access
'http://openid/detect.php', I get this error message:
--------
Fatal error: Undefined class name 'services_yadis_yadis' in
/home/tim/openid/examples/detect.php on line 38
--------

Does anybody know a very simple script to test this PHP library. I
want to create a OpenID server to serve OpenID URLs.

Thank you very much.


From tarmstrong at gmail.com  Tue Feb 20 04:14:29 2007
From: tarmstrong at gmail.com (thomas Armstrong)
Date: Tue, 20 Feb 2007 13:14:29 +0100
Subject: How to create a very simple script to test PHP library?
In-Reply-To: <bf4479300702200245q306e25daqfc009bd82bbbecfe@mail.gmail.com>
References: <bf4479300702200245q306e25daqfc009bd82bbbecfe@mail.gmail.com>
Message-ID: <bf4479300702200414r47bffd74ocd988579a76cd7d1@mail.gmail.com>

I've got my PHP installed with these libraries:
- libcurl/7.12.3 zlib/1.2.1.2
- gmp-4.2.1

On 2/20/07, thomas Armstrong <tarmstrong at gmail.com> wrote:
> Hi.
>
> With PHP 4.3.11 on Linux, I want to create a very simple script to
> test the OpenID PHP library.
>
> I did these steps:
> []# pear install
> http://www.openidenabled.com/resources/downloads/php-openid/pear/Auth_OpenID-1.2.1.tgz
> []# pear install
> http://www.openidenabled.com/resources/downloads/php-yadis/pear/Services_Yadis-1.0.2.tgz
>
> I downloaded the tar.gz files from:
> http://www.openidenabled.com/openid/libraries/php/download
> http://www.openidenabled.com/yadis/libraries/php/download-php-yadis-library
>
> I created two directories:
> /home/tim/openid/
> /home/tim/yadis/
> with all the downloadeded contents.
>
> And I created an Apache VirtualHost (http://openid) launching in
> '/home/tim/openid/examples/', but when trying to access
> 'http://openid/detect.php', I get this error message:
> --------
> Fatal error: Undefined class name 'services_yadis_yadis' in
> /home/tim/openid/examples/detect.php on line 38
> --------
>
> Does anybody know a very simple script to test this PHP library. I
> want to create a OpenID server to serve OpenID URLs.
>
> Thank you very much.
>


From cygnus at janrain.com  Wed Feb 21 10:42:15 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Wed, 21 Feb 2007 10:42:15 -0800
Subject: How to create a very simple script to test PHP library?
In-Reply-To: <bf4479300702200245q306e25daqfc009bd82bbbecfe@mail.gmail.com>
References: <bf4479300702200245q306e25daqfc009bd82bbbecfe@mail.gmail.com>
Message-ID: <20070221184215.GG5256@janrain.com>

# With PHP 4.3.11 on Linux, I want to create a very simple script to
# test the OpenID PHP library.
# 
# I did these steps:
# []# pear install
# http://www.openidenabled.com/resources/downloads/php-openid/pear/Auth_OpenID-1.2.1.tgz
# []# pear install
# http://www.openidenabled.com/resources/downloads/php-yadis/pear/Services_Yadis-1.0.2.tgz

Installing the Services_Yadis package will likely break (or at least
confuse) PHP when those files are included.  That package is no longer
needed.  (This is not the first time someone has mistakenly installed
it, so I'm going to completely remove it from our web site as I should
have done.)

# I created two directories:
# /home/tim/openid/
# /home/tim/yadis/
# with all the downloadeded contents.

If you installed the packages with PEAR, this step isn't necessary.

# And I created an Apache VirtualHost (http://openid) launching in
# '/home/tim/openid/examples/', but when trying to access
# 'http://openid/detect.php', I get this error message:
# --------
# Fatal error: Undefined class name 'services_yadis_yadis' in
# /home/tim/openid/examples/detect.php on line 38
# --------

This just means that A) the include_path is wrong and doesn't include
the installed location of the OpenID package or B) the path is
correct, and the package isn't installed in the usual location.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From goutamd at anshinsoft.com  Thu Feb 22 03:21:44 2007
From: goutamd at anshinsoft.com (Goutam Dey)
Date: Thu, 22 Feb 2007 16:51:44 +0530
Subject: OpenID Custom Extension
Message-ID: <20070222112139.E6DEF20727@mail.in.anshinsoft.com>

Hi,

I was just trying to implement an IDP. I found that at present OpenId
library support sreg namespace only. ( janrain server code base).

 

I found that in the consumer code namespace is handled in a generic way for
extendibility.

I need to know the following things:

1> What other semantic formats you are planning to support in future?

2> How and what about the custom namespace?

3> As some signature of the namespace is coming from the library why it is
not made available as an abstract in the library? And if planned when we
could get this abstraction in the library?

4> In the library could we expect any abstraction of request and response
objects for communication between IDP and RP?

 

Hope to listen from you soon.

 

Regards,

Goutam 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070222/637513fa/attachment.html 

From sam.alexander at vidoop.com  Thu Feb 22 14:42:12 2007
From: sam.alexander at vidoop.com (Sam Alexander)
Date: Thu, 22 Feb 2007 16:42:12 -0600
Subject: index.php/serve over FastCGI problem
Message-ID: <45DE1C44.40807@vidoop.com>

I've run into the same problem, and apparently it lies in a PHP bug 
having to do with the Path_info Environment Variable not working when 
php is run as a fastcgi. The problem is that the "out-of-box" server 
uses Path_Info to send/read variables, but when run as fastcgi, 
Path_Info is empty in php.

There is a fix. Add:

cgi.fix_pathinfo = 1 

to your php.ini.

This will bypass the Path_info problem. I've still yet to get my ID 
server running, so it may just be a bandaid on a bigger issue, but it 
will at least get you to the next step.


    Hello.


    I'm using nginx webserver and PHP/fastcgi to run OpenID server.
    I encountered problem when user requests an URI like
    page.php/path?param=value. It doesn't get served by PHP. Possibly it
    is a httpd-php connection problem but either way... is this thing
    really a must? Can I change index.php/serve to something like
    index.php?serve=1 in all files? (With changing index.php request
    handlers 'if' statement as well). Won't this break compatibility with
    OpenID clients?

    -- 
    ? ?????????,
    ?????? ?. ???????.
    mailto:l4igem2 at list.ru
    <http://lists.openidenabled.com/mailman/listinfo/dev>
    ICQ: 145-542-767



From cygnus at janrain.com  Fri Feb 23 10:09:35 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Fri, 23 Feb 2007 10:09:35 -0800
Subject: index.php/serve over FastCGI problem
In-Reply-To: <45DE1C44.40807@vidoop.com>
References: <45DE1C44.40807@vidoop.com>
Message-ID: <20070223180935.GG12965@janrain.com>

# I've run into the same problem, and apparently it lies in a PHP bug
# having to do with the Path_info Environment Variable not working
# when php is run as a fastcgi. The problem is that the "out-of-box"
# server uses Path_Info to send/read variables, but when run as
# fastcgi, Path_Info is empty in php.
# 
# There is a fix. Add:
# 
# cgi.fix_pathinfo = 1

Thanks!  I'll add this to the README.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From sam.alexander at vidoop.com  Fri Feb 23 10:30:53 2007
From: sam.alexander at vidoop.com (Sam Alexander)
Date: Fri, 23 Feb 2007 12:30:53 -0600
Subject: PHP consumer - dom XML error
Message-ID: <45DF32DD.4090604@vidoop.com>

Hello,

I am trying to set up the example consumer, but in the try_auth.php 
portion of the example consumer, I am running into this error:


*Warning*: domdocument::domdocument() expects at least 1 parameter, 0 
given in *Path\To\Pear\Services\Yadis\XML.php* on line *226*

I am running PHP 5.2.1 on Windows Server 2003 IIS.   I have dom and 
domxml both enabled.


From sam.alexander at vidoop.com  Fri Feb 23 10:33:52 2007
From: sam.alexander at vidoop.com (Sam Alexander)
Date: Fri, 23 Feb 2007 12:33:52 -0600
Subject: PHP consumer - dom XML error
In-Reply-To: <45DF32DD.4090604@vidoop.com>
References: <45DF32DD.4090604@vidoop.com>
Message-ID: <45DF3390.40703@vidoop.com>

I actually fixed this by disabling domxml.  The pear Yadis is 
incompatible with domxml?  Is this supposed to be true?

Sam Alexander wrote:
> Hello,
>
> I am trying to set up the example consumer, but in the try_auth.php 
> portion of the example consumer, I am running into this error:
>
>
> *Warning*: domdocument::domdocument() expects at least 1 parameter, 0 
> given in *Path\To\Pear\Services\Yadis\XML.php* on line *226*
>
> I am running PHP 5.2.1 on Windows Server 2003 IIS.   I have dom and 
> domxml both enabled.
>



From cygnus at janrain.com  Fri Feb 23 11:09:37 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Fri, 23 Feb 2007 11:09:37 -0800
Subject: PHP consumer - dom XML error
In-Reply-To: <45DF32DD.4090604@vidoop.com>
References: <45DF32DD.4090604@vidoop.com>
Message-ID: <20070223190937.GI12965@janrain.com>

# *Warning*: domdocument::domdocument() expects at least 1 parameter, 0 
# given in *Path\To\Pear\Services\Yadis\XML.php* on line *226*

I'm glad that disabling domxml seems to have fixed it.  The PHP docs
on the 'domxml' extension are incomplete and don't say whether the
DOMDocument class defined by domxml takes any required parameters.  I
can only assume that it does.  The W3C standard doesn't define the
constructor signature for DOMDocument, either.  Perhaps someone else
can provide more illuminating information.

That aside, the library does indeed work with both the DOM and domxml
extensions.  The library tries to use DOM first (which it did in your
case) and tries domxml if DOM isn't available.  The documentation for
domxml says that it is not compatible with DOM, so I would recommend
disabling one or the other in any case.  (It would be nice if the
extensions loaded in a mutually exclusive way, but, eh.)

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From kris at epok.net  Fri Feb 23 11:49:14 2007
From: kris at epok.net (Kristofer Younger)
Date: Fri, 23 Feb 2007 14:49:14 -0500
Subject: issue with Yadis and dom
In-Reply-To: <mailman.12088.1172262272.1104.dev@lists.openidenabled.com>
References: <mailman.12088.1172262272.1104.dev@lists.openidenabled.com>
Message-ID: <078EF528-3180-48FE-B221-C50100D90950@epok.net>

So I have a problem where I'm installing the openid mediawiki stuff,  
and when I try to login with an openid, and the wiki tries to fetch  
the page my url points to, it fails when it claims it cannot find an  
XML parser from inside the Yadis stuff.
and then I diligently do a "php -i" and no, there is no "dom or  
domxml" in the output.
it's php 4.4.4 (and it's probably too hard to upgrade just yet)

Is there a way to enable domxml in php.ini? or was it something like  
an extension? from the looking I did, it sounded like domxml was  
something builtin to php 4.x....

-Kristofer
kris at epok.net, 302 351 3967 (ofc)



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070223/0b37a81f/attachment.htm 

From cygnus at janrain.com  Fri Feb 23 11:58:41 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Fri, 23 Feb 2007 11:58:41 -0800
Subject: issue with Yadis and dom
In-Reply-To: <078EF528-3180-48FE-B221-C50100D90950@epok.net>
References: <mailman.12088.1172262272.1104.dev@lists.openidenabled.com>
	<078EF528-3180-48FE-B221-C50100D90950@epok.net>
Message-ID: <20070223195841.GK12965@janrain.com>

# Is there a way to enable domxml in php.ini? or was it something like
# an extension? from the looking I did, it sounded like domxml was
# something builtin to php 4.x....

You have to either recompile PHP or install the domxml extension using
your distribution's package management system.  (It's not necessarily
built-in; it's just *shipped* with the PHP 4 source, and whether it's
part of PHP once built will depend on whether you have XML libraries
present.)

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From cody at codymays.net  Fri Feb 23 13:59:08 2007
From: cody at codymays.net (Cody Mays)
Date: Fri, 23 Feb 2007 16:59:08 -0500
Subject: issue with Yadis and dom
In-Reply-To: <078EF528-3180-48FE-B221-C50100D90950@epok.net>
References: <mailman.12088.1172262272.1104.dev@lists.openidenabled.com>
	<078EF528-3180-48FE-B221-C50100D90950@epok.net>
Message-ID: <45DF63AC.2040804@codymays.net>

Kristofer Younger wrote:
> So I have a problem where I'm installing the openid mediawiki stuff, 
> and when I try to login with an openid, and the wiki tries to fetch 
> the page my url points to, it fails when it claims it cannot find an 
> XML parser from inside the Yadis stuff.
> and then I diligently do a "php -i" and no, there is no "dom or 
> domxml" in the output.
> it's php 4.4.4 (and it's probably too hard to upgrade just yet)
>
> Is there a way to enable domxml in php.ini? or was it something like 
> an extension? from the looking I did, it sounded like domxml was 
> something builtin to php 4.x....
>
> -Kristofer
> kris at epok.net <mailto:kris at epok.net>, 302 351 3967 (ofc)
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>   
Check the PHP docs. You should be able to go get a source tarball and 
build the extension from there. Then just install it and add the 
extension=foo.so line to php.ini


From kevin at radagast.biz  Sat Feb 24 07:57:10 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Sat, 24 Feb 2007 16:57:10 +0100
Subject: Bad signature puzzle
Message-ID: <45E06056.7000404@radagast.biz>

I've had yet another "bad signature" problem with an OpenID installation.

A debugging message confirms this:

_doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=

This is code moved from one PHP 4, RHEL server to another.

On the first server (RHEL 3) it works, on the second server (RHEL 4) it 
does not.

The ISP for the second server did a fresh install of GMP. Running "make 
check" for GMP returns no errors. Moreover, I ran several PHP test 
programs for GMP and they all passed.

In previous examples of the "bad signature" error, I have found that GMP 
tests failed. In this case they have passed, and yet I am seeing a "bad 
signature" problem anyway.

I deleted all associations in both the client and server databases, but 
still I get the error.

Does anyone have a solution?

Cheers,
Kevin

-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From norman at rasmussen.co.za  Sat Feb 24 13:24:33 2007
From: norman at rasmussen.co.za (Norman Rasmussen)
Date: Sat, 24 Feb 2007 23:24:33 +0200
Subject: Bad signature puzzle
In-Reply-To: <45E06056.7000404@radagast.biz>
References: <45E06056.7000404@radagast.biz>
Message-ID: <5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>

re: http://lists.openidenabled.com/pipermail/dev/2007-February/000278.html &
http://lists.openidenabled.com/pipermail/dev/2007-February/000279.html

try adding:

mb_internal_encoding('ISO-8859-1')

to config.php, and see if it helps.  (btw: how do you enabled debug
messages? and how do you reproduce this error?)

On 2/24/07, Kevin Jardine <kevin at radagast.biz> wrote:
>
> I've had yet another "bad signature" problem with an OpenID installation.
>
> A debugging message confirms this:
>
> _doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
> v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=
>
> This is code moved from one PHP 4, RHEL server to another.
>
> On the first server (RHEL 3) it works, on the second server (RHEL 4) it
> does not.
>
> The ISP for the second server did a fresh install of GMP. Running "make
> check" for GMP returns no errors. Moreover, I ran several PHP test
> programs for GMP and they all passed.
>
> In previous examples of the "bad signature" error, I have found that GMP
> tests failed. In this case they have passed, and yet I am seeing a "bad
> signature" problem anyway.
>
> I deleted all associations in both the client and server databases, but
> still I get the error.
>
> Does anyone have a solution?
>
> Cheers,
> Kevin
>
> --
> Kevin Jardine
> Radagast Solutions
>
> Internet campaign advice and magic
> http://radagast.biz
>
> YIM: kevinjardine
> Skype: kevinjardine
> Eml: kevin at radagast.biz
> Tel: +31 (0)6 25581608
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>



-- 
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070224/95071d92/attachment.htm 

From kevin at radagast.biz  Sat Feb 24 15:13:18 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Sun, 25 Feb 2007 00:13:18 +0100
Subject: Bad signature puzzle
In-Reply-To: <5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
References: <45E06056.7000404@radagast.biz>
	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
Message-ID: <45E0C68E.80100@radagast.biz>

I add debugging messages to the library code myself to figure out what 
is going on.

Thanks, I'll try that.

Kevin

Norman Rasmussen wrote:
> re: 
> http://lists.openidenabled.com/pipermail/dev/2007-February/000278.html &
> http://lists.openidenabled.com/pipermail/dev/2007-February/000279.html
> 
> try adding:
> 
> mb_internal_encoding('ISO-8859-1')
> 
> to config.php, and see if it helps.  (btw: how do you enabled debug
> messages? and how do you reproduce this error?)
> 
> On 2/24/07, Kevin Jardine <kevin at radagast.biz> wrote:
>>
>> I've had yet another "bad signature" problem with an OpenID installation.
>>
>> A debugging message confirms this:
>>
>> _doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
>> v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=
>>
>> This is code moved from one PHP 4, RHEL server to another.
>>
>> On the first server (RHEL 3) it works, on the second server (RHEL 4) it
>> does not.
>>
>> The ISP for the second server did a fresh install of GMP. Running "make
>> check" for GMP returns no errors. Moreover, I ran several PHP test
>> programs for GMP and they all passed.
>>
>> In previous examples of the "bad signature" error, I have found that GMP
>> tests failed. In this case they have passed, and yet I am seeing a "bad
>> signature" problem anyway.
>>
>> I deleted all associations in both the client and server databases, but
>> still I get the error.
>>
>> Does anyone have a solution?
>>
>> Cheers,
>> Kevin
>>
>> -- 
>> Kevin Jardine
>> Radagast Solutions
>>
>> Internet campaign advice and magic
>> http://radagast.biz
>>
>> YIM: kevinjardine
>> Skype: kevinjardine
>> Eml: kevin at radagast.biz
>> Tel: +31 (0)6 25581608
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.openidenabled.com
>> http://lists.openidenabled.com/mailman/listinfo/dev
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From kevin at radagast.biz  Sun Feb 25 00:52:44 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Sun, 25 Feb 2007 09:52:44 +0100
Subject: Bad signature puzzle
In-Reply-To: <5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
References: <45E06056.7000404@radagast.biz>
	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
Message-ID: <45E14E5C.9030308@radagast.biz>

Hi Norman,

I'm afraid not - I still get a bad signature.

A few other pieces to the puzzle:

I can use other OpenID servers to log into my client application, so the 
problem seems to be on the OpenID server side.

If I comment out the reference to GMP in BigMath.php 
($_Auth_OpenID_math_extensions) which I believe forces it to use bcmath, 
I still get the "bad signature" error.

There are *two* association records (two each in the server and client 
association tables) created even if I am only using one server to log 
into one client.

Is this correct? I would think that there should only be one association 
record for each client/server pair.

Cheers,
Kevin

Norman Rasmussen wrote:
> re: 
> http://lists.openidenabled.com/pipermail/dev/2007-February/000278.html &
> http://lists.openidenabled.com/pipermail/dev/2007-February/000279.html
> 
> try adding:
> 
> mb_internal_encoding('ISO-8859-1')
> 
> to config.php, and see if it helps.  (btw: how do you enabled debug
> messages? and how do you reproduce this error?)
> 
> On 2/24/07, Kevin Jardine <kevin at radagast.biz> wrote:
>>
>> I've had yet another "bad signature" problem with an OpenID installation.
>>
>> A debugging message confirms this:
>>
>> _doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
>> v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=
>>
>> This is code moved from one PHP 4, RHEL server to another.
>>
>> On the first server (RHEL 3) it works, on the second server (RHEL 4) it
>> does not.
>>
>> The ISP for the second server did a fresh install of GMP. Running "make
>> check" for GMP returns no errors. Moreover, I ran several PHP test
>> programs for GMP and they all passed.
>>
>> In previous examples of the "bad signature" error, I have found that GMP
>> tests failed. In this case they have passed, and yet I am seeing a "bad
>> signature" problem anyway.
>>
>> I deleted all associations in both the client and server databases, but
>> still I get the error.
>>
>> Does anyone have a solution?
>>
>> Cheers,
>> Kevin
>>
>> -- 
>> Kevin Jardine
>> Radagast Solutions
>>
>> Internet campaign advice and magic
>> http://radagast.biz
>>
>> YIM: kevinjardine
>> Skype: kevinjardine
>> Eml: kevin at radagast.biz
>> Tel: +31 (0)6 25581608
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.openidenabled.com
>> http://lists.openidenabled.com/mailman/listinfo/dev
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From kevin at radagast.biz  Sun Feb 25 01:07:03 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Sun, 25 Feb 2007 10:07:03 +0100
Subject: Bad signature puzzle
In-Reply-To: <45E14E5C.9030308@radagast.biz>
References: <45E06056.7000404@radagast.biz>	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
	<45E14E5C.9030308@radagast.biz>
Message-ID: <45E151B7.1000008@radagast.biz>

I tried deleting the extra association record but I still get a "bad 
signature" error.

Kevin Jardine wrote:
> Hi Norman,
> 
> I'm afraid not - I still get a bad signature.
> 
> A few other pieces to the puzzle:
> 
> I can use other OpenID servers to log into my client application, so the 
> problem seems to be on the OpenID server side.
> 
> If I comment out the reference to GMP in BigMath.php 
> ($_Auth_OpenID_math_extensions) which I believe forces it to use bcmath, 
> I still get the "bad signature" error.
> 
> There are *two* association records (two each in the server and client 
> association tables) created even if I am only using one server to log 
> into one client.
> 
> Is this correct? I would think that there should only be one association 
> record for each client/server pair.
> 
> Cheers,
> Kevin
> 
> Norman Rasmussen wrote:
>> re: 
>> http://lists.openidenabled.com/pipermail/dev/2007-February/000278.html &
>> http://lists.openidenabled.com/pipermail/dev/2007-February/000279.html
>>
>> try adding:
>>
>> mb_internal_encoding('ISO-8859-1')
>>
>> to config.php, and see if it helps.  (btw: how do you enabled debug
>> messages? and how do you reproduce this error?)
>>
>> On 2/24/07, Kevin Jardine <kevin at radagast.biz> wrote:
>>> I've had yet another "bad signature" problem with an OpenID installation.
>>>
>>> A debugging message confirms this:
>>>
>>> _doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
>>> v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=
>>>
>>> This is code moved from one PHP 4, RHEL server to another.
>>>
>>> On the first server (RHEL 3) it works, on the second server (RHEL 4) it
>>> does not.
>>>
>>> The ISP for the second server did a fresh install of GMP. Running "make
>>> check" for GMP returns no errors. Moreover, I ran several PHP test
>>> programs for GMP and they all passed.
>>>
>>> In previous examples of the "bad signature" error, I have found that GMP
>>> tests failed. In this case they have passed, and yet I am seeing a "bad
>>> signature" problem anyway.
>>>
>>> I deleted all associations in both the client and server databases, but
>>> still I get the error.
>>>
>>> Does anyone have a solution?
>>>
>>> Cheers,
>>> Kevin
>>>
>>> -- 
>>> Kevin Jardine
>>> Radagast Solutions
>>>
>>> Internet campaign advice and magic
>>> http://radagast.biz
>>>
>>> YIM: kevinjardine
>>> Skype: kevinjardine
>>> Eml: kevin at radagast.biz
>>> Tel: +31 (0)6 25581608
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev at lists.openidenabled.com
>>> http://lists.openidenabled.com/mailman/listinfo/dev
>>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.openidenabled.com
>> http://lists.openidenabled.com/mailman/listinfo/dev
> 
> 


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From kevin at radagast.biz  Sun Feb 25 02:38:53 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Sun, 25 Feb 2007 11:38:53 +0100
Subject: Bad signature puzzle
In-Reply-To: <45E151B7.1000008@radagast.biz>
References: <45E06056.7000404@radagast.biz>	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>	<45E14E5C.9030308@radagast.biz>
	<45E151B7.1000008@radagast.biz>
Message-ID: <45E1673D.3060803@radagast.biz>

I just did a hex dump of the shared secrets and they are different in 
the client and server tables for the same handle.

So apparently the shared secret is being written incorrectly into the 
server association table.

Cheers,
Kevin

Kevin Jardine wrote:
> I tried deleting the extra association record but I still get a "bad 
> signature" error.
> 
> Kevin Jardine wrote:
>> Hi Norman,
>>
>> I'm afraid not - I still get a bad signature.
>>
>> A few other pieces to the puzzle:
>>
>> I can use other OpenID servers to log into my client application, so the 
>> problem seems to be on the OpenID server side.
>>
>> If I comment out the reference to GMP in BigMath.php 
>> ($_Auth_OpenID_math_extensions) which I believe forces it to use bcmath, 
>> I still get the "bad signature" error.
>>
>> There are *two* association records (two each in the server and client 
>> association tables) created even if I am only using one server to log 
>> into one client.
>>
>> Is this correct? I would think that there should only be one association 
>> record for each client/server pair.
>>
>> Cheers,
>> Kevin
>>
>> Norman Rasmussen wrote:
>>> re: 
>>> http://lists.openidenabled.com/pipermail/dev/2007-February/000278.html &
>>> http://lists.openidenabled.com/pipermail/dev/2007-February/000279.html
>>>
>>> try adding:
>>>
>>> mb_internal_encoding('ISO-8859-1')
>>>
>>> to config.php, and see if it helps.  (btw: how do you enabled debug
>>> messages? and how do you reproduce this error?)
>>>
>>> On 2/24/07, Kevin Jardine <kevin at radagast.biz> wrote:
>>>> I've had yet another "bad signature" problem with an OpenID installation.
>>>>
>>>> A debugging message confirms this:
>>>>
>>>> _doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
>>>> v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=
>>>>
>>>> This is code moved from one PHP 4, RHEL server to another.
>>>>
>>>> On the first server (RHEL 3) it works, on the second server (RHEL 4) it
>>>> does not.
>>>>
>>>> The ISP for the second server did a fresh install of GMP. Running "make
>>>> check" for GMP returns no errors. Moreover, I ran several PHP test
>>>> programs for GMP and they all passed.
>>>>
>>>> In previous examples of the "bad signature" error, I have found that GMP
>>>> tests failed. In this case they have passed, and yet I am seeing a "bad
>>>> signature" problem anyway.
>>>>
>>>> I deleted all associations in both the client and server databases, but
>>>> still I get the error.
>>>>
>>>> Does anyone have a solution?
>>>>
>>>> Cheers,
>>>> Kevin
>>>>
>>>> -- 
>>>> Kevin Jardine
>>>> Radagast Solutions
>>>>
>>>> Internet campaign advice and magic
>>>> http://radagast.biz
>>>>
>>>> YIM: kevinjardine
>>>> Skype: kevinjardine
>>>> Eml: kevin at radagast.biz
>>>> Tel: +31 (0)6 25581608
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at lists.openidenabled.com
>>>> http://lists.openidenabled.com/mailman/listinfo/dev
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev at lists.openidenabled.com
>>> http://lists.openidenabled.com/mailman/listinfo/dev
>>
> 
> 


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From kevin at radagast.biz  Sun Feb 25 11:41:04 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Sun, 25 Feb 2007 20:41:04 +0100
Subject: Bad signature puzzle - solved
In-Reply-To: <45E1673D.3060803@radagast.biz>
References: <45E06056.7000404@radagast.biz>	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>	<45E14E5C.9030308@radagast.biz>
	<45E151B7.1000008@radagast.biz> <45E1673D.3060803@radagast.biz>
Message-ID: <45E1E650.8040301@radagast.biz>

Norman,

Thanks for your hint on binary encoding as that turned out to be the 
source of the problem.

It turned out that the character encoding of the OpenID server database 
was accidentally switched from UTF-8 to Latin-1 when it was migrated to 
the new server by our ISP.

As the client database was still operating in UTF-8 but the server 
database was operating in Latin-1, (and the overall OpenID software was 
assuming that both databases were using the same encoding, whatever it 
was) the two databases were producing incompatible results for the 
shared secret.

Cheers,
Kevin



Kevin Jardine wrote:
> I just did a hex dump of the shared secrets and they are different in 
> the client and server tables for the same handle.
> 
> So apparently the shared secret is being written incorrectly into the 
> server association table.
> 
> Cheers,
> Kevin
> 
> Kevin Jardine wrote:
>> I tried deleting the extra association record but I still get a "bad 
>> signature" error.
>>
>> Kevin Jardine wrote:
>>> Hi Norman,
>>>
>>> I'm afraid not - I still get a bad signature.
>>>
>>> A few other pieces to the puzzle:
>>>
>>> I can use other OpenID servers to log into my client application, so 
>>> the problem seems to be on the OpenID server side.
>>>
>>> If I comment out the reference to GMP in BigMath.php 
>>> ($_Auth_OpenID_math_extensions) which I believe forces it to use 
>>> bcmath, I still get the "bad signature" error.
>>>
>>> There are *two* association records (two each in the server and 
>>> client association tables) created even if I am only using one server 
>>> to log into one client.
>>>
>>> Is this correct? I would think that there should only be one 
>>> association record for each client/server pair.
>>>
>>> Cheers,
>>> Kevin
>>>
>>> Norman Rasmussen wrote:
>>>> re: 
>>>> http://lists.openidenabled.com/pipermail/dev/2007-February/000278.html 
>>>> &
>>>> http://lists.openidenabled.com/pipermail/dev/2007-February/000279.html
>>>>
>>>> try adding:
>>>>
>>>> mb_internal_encoding('ISO-8859-1')
>>>>
>>>> to config.php, and see if it helps.  (btw: how do you enabled debug
>>>> messages? and how do you reproduce this error?)
>>>>
>>>> On 2/24/07, Kevin Jardine <kevin at radagast.biz> wrote:
>>>>> I've had yet another "bad signature" problem with an OpenID 
>>>>> installation.
>>>>>
>>>>> A debugging message confirms this:
>>>>>
>>>>> _doIdRes: sig = d3de/zAMOC6pZbG1BKtY233NQR0=
>>>>> v_sig = Pa7rJiewvhmmcPmJz8ISiNSKrpk=
>>>>>
>>>>> This is code moved from one PHP 4, RHEL server to another.
>>>>>
>>>>> On the first server (RHEL 3) it works, on the second server (RHEL 
>>>>> 4) it
>>>>> does not.
>>>>>
>>>>> The ISP for the second server did a fresh install of GMP. Running 
>>>>> "make
>>>>> check" for GMP returns no errors. Moreover, I ran several PHP test
>>>>> programs for GMP and they all passed.
>>>>>
>>>>> In previous examples of the "bad signature" error, I have found 
>>>>> that GMP
>>>>> tests failed. In this case they have passed, and yet I am seeing a 
>>>>> "bad
>>>>> signature" problem anyway.
>>>>>
>>>>> I deleted all associations in both the client and server databases, 
>>>>> but
>>>>> still I get the error.
>>>>>
>>>>> Does anyone have a solution?
>>>>>
>>>>> Cheers,
>>>>> Kevin
>>>>>
>>>>> -- 
>>>>> Kevin Jardine
>>>>> Radagast Solutions
>>>>>
>>>>> Internet campaign advice and magic
>>>>> http://radagast.biz
>>>>>
>>>>> YIM: kevinjardine
>>>>> Skype: kevinjardine
>>>>> Eml: kevin at radagast.biz
>>>>> Tel: +31 (0)6 25581608
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> Dev at lists.openidenabled.com
>>>>> http://lists.openidenabled.com/mailman/listinfo/dev
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at lists.openidenabled.com
>>>> http://lists.openidenabled.com/mailman/listinfo/dev
>>>
>>
>>
> 
> 


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From simon at simonwillison.net  Sun Feb 25 13:46:35 2007
From: simon at simonwillison.net (Simon Willison)
Date: Sun, 25 Feb 2007 21:46:35 +0000
Subject: Bad signature puzzle - solved
In-Reply-To: <45E1E650.8040301@radagast.biz>
References: <45E06056.7000404@radagast.biz>
	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
	<45E14E5C.9030308@radagast.biz> <45E151B7.1000008@radagast.biz>
	<45E1673D.3060803@radagast.biz> <45E1E650.8040301@radagast.biz>
Message-ID: <a3b4f3b60702251346s4a88aapd6b9ad355c1cfbde@mail.gmail.com>

On 2/25/07, Kevin Jardine <kevin at radagast.biz> wrote:
> It turned out that the character encoding of the OpenID server database
> was accidentally switched from UTF-8 to Latin-1 when it was migrated to
> the new server by our ISP [...] the two databases were producing
> incompatible results for the shared secret.

Could the library be modified to eliminate the chance of this error
occurring? Maybe by storing the shared secret as a base64 encoded
value?

Anything that makes the library robust against weird configuration
issues has to be a good thing.

Cheers,

Simon


From cygnus at janrain.com  Mon Feb 26 11:22:13 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Mon, 26 Feb 2007 11:22:13 -0800
Subject: Bad signature puzzle - solved
In-Reply-To: <45E1E650.8040301@radagast.biz>
References: <45E06056.7000404@radagast.biz>
	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
	<45E14E5C.9030308@radagast.biz> <45E151B7.1000008@radagast.biz>
	<45E1673D.3060803@radagast.biz> <45E1E650.8040301@radagast.biz>
Message-ID: <20070226192213.GE32294@janrain.com>

# It turned out that the character encoding of the OpenID server
# database was accidentally switched from UTF-8 to Latin-1 when it was
# migrated to the new server by our ISP.

Although I agree with Simon that the library should try to withstand
this kind of issue, this is most certainly a bug in the database
server itself; the character encoding should never affect binary
storage fields.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From kevin at radagast.biz  Mon Feb 26 11:36:42 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Mon, 26 Feb 2007 20:36:42 +0100
Subject: Bad signature puzzle - solved
In-Reply-To: <20070226192213.GE32294@janrain.com>
References: <45E06056.7000404@radagast.biz>	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>	<45E14E5C.9030308@radagast.biz>
	<45E151B7.1000008@radagast.biz>	<45E1673D.3060803@radagast.biz>
	<45E1E650.8040301@radagast.biz>
	<20070226192213.GE32294@janrain.com>
Message-ID: <45E336CA.2060008@radagast.biz>

I completely agree. It makes no sense that character encoding should 
affect binary data stored in MySQL blobs.

Sadly, it does seem to, however, and MySQL is a bit like Windows in the 
open source software world - so commonly used, it sets the rules even if 
they don't make sense.

Jonathan Daugherty wrote:
> # It turned out that the character encoding of the OpenID server
> # database was accidentally switched from UTF-8 to Latin-1 when it was
> # migrated to the new server by our ISP.
> 
> Although I agree with Simon that the library should try to withstand
> this kind of issue, this is most certainly a bug in the database
> server itself; the character encoding should never affect binary
> storage fields.
> 


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From cygnus at janrain.com  Mon Feb 26 11:45:45 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Mon, 26 Feb 2007 11:45:45 -0800
Subject: Bad signature puzzle - solved
In-Reply-To: <45E336CA.2060008@radagast.biz>
References: <45E06056.7000404@radagast.biz>
	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
	<45E14E5C.9030308@radagast.biz> <45E151B7.1000008@radagast.biz>
	<45E1673D.3060803@radagast.biz> <45E1E650.8040301@radagast.biz>
	<20070226192213.GE32294@janrain.com>
	<45E336CA.2060008@radagast.biz>
Message-ID: <20070226194545.GH32294@janrain.com>

# Sadly, it does seem to, however, and MySQL is a bit like Windows in
# the open source software world - so commonly used, it sets the rules
# even if they don't make sense.

Well, this isn't even a matter of setting rules! :)  The documentation
at

  http://dev.mysql.com/doc/refman/4.1/en/blob.html

even says,

  BLOB columns have no character set, and sorting and comparison are
  based on the numeric values of the bytes in column values.

At any rate, I'm happy to implement a workaround in our library.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From kevin at radagast.biz  Mon Feb 26 13:54:42 2007
From: kevin at radagast.biz (Kevin Jardine)
Date: Mon, 26 Feb 2007 22:54:42 +0100
Subject: Bad signature puzzle - solved
In-Reply-To: <20070226194545.GH32294@janrain.com>
References: <45E06056.7000404@radagast.biz>	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>	<45E14E5C.9030308@radagast.biz>
	<45E151B7.1000008@radagast.biz>	<45E1673D.3060803@radagast.biz>
	<45E1E650.8040301@radagast.biz>	<20070226192213.GE32294@janrain.com>	<45E336CA.2060008@radagast.biz>
	<20070226194545.GH32294@janrain.com>
Message-ID: <45E35722.3020507@radagast.biz>

I am uneasy because I don't understand why character encoding should 
affect the OpenID library at all. A few people have reported that it 
does - but why? Is this a PHP problem, a MySQL problem?

Does anyone have any insight?

I completely agree with Jonathan that it should not. Isn't that what 
BLOBs are for - to store pure binary strings?

Cheers,
Kevin

Jonathan Daugherty wrote:
> # Sadly, it does seem to, however, and MySQL is a bit like Windows in
> # the open source software world - so commonly used, it sets the rules
> # even if they don't make sense.
> 
> Well, this isn't even a matter of setting rules! :)  The documentation
> at
> 
>   http://dev.mysql.com/doc/refman/4.1/en/blob.html
> 
> even says,
> 
>   BLOB columns have no character set, and sorting and comparison are
>   based on the numeric values of the bytes in column values.
> 
> At any rate, I'm happy to implement a workaround in our library.
> 


-- 
Kevin Jardine
Radagast Solutions

Internet campaign advice and magic
http://radagast.biz

YIM: kevinjardine
Skype: kevinjardine
Eml: kevin at radagast.biz
Tel: +31 (0)6 25581608


From cygnus at janrain.com  Mon Feb 26 14:02:13 2007
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Mon, 26 Feb 2007 14:02:13 -0800
Subject: Bad signature puzzle - solved
In-Reply-To: <45E35722.3020507@radagast.biz>
References: <45E06056.7000404@radagast.biz>
	<5b698f5a0702241324h60c5a24bmdf7de62b6d71afb5@mail.gmail.com>
	<45E14E5C.9030308@radagast.biz> <45E151B7.1000008@radagast.biz>
	<45E1673D.3060803@radagast.biz> <45E1E650.8040301@radagast.biz>
	<20070226192213.GE32294@janrain.com>
	<45E336CA.2060008@radagast.biz>
	<20070226194545.GH32294@janrain.com>
	<45E35722.3020507@radagast.biz>
Message-ID: <20070226220213.GA5237@janrain.com>

# I am uneasy because I don't understand why character encoding should
# affect the OpenID library at all. A few people have reported that it
# does - but why? Is this a PHP problem, a MySQL problem?

It shouldn't affect it, although how strings are represented in both
the programming and database environments is something one can't
really avoid, regardless of web framework, language, or database.

# I completely agree with Jonathan that it should not. Isn't that what
# BLOBs are for - to store pure binary strings?

Yeah.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com


From simon at simonwillison.net  Mon Feb 26 16:06:07 2007
From: simon at simonwillison.net (Simon Willison)
Date: Tue, 27 Feb 2007 00:06:07 +0000
Subject: Problems implementing dumb mode server using PHP library
Message-ID: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>

Hi all,

I'm working on adding OpenID server support to a large PHP site, using
the JanRain PHP library. I've got to a state where I'm passing all but
two of the tests on
http://www.openidenabled.com/resources/openid-test/diagnose-server/

The failing tests are:

Successful checkid_setup (dumb mode)
Successful checkid_immediate (dumb mode)

Here's the error message I'm getting (I've replaced the site with
'example.com'):

================================

Server responds that checkAuth call is not valid
Latest response:
Successful checkid_setup (dumb mode)

    *
      Redirecting to
http://simon.example.com/?openidserver=1&openid.identity=http%3A%2F%2Fsimondev.example.com%2F&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fdiagnose-server%2FTestDumbCheckidSetup%2F%3Faction%3Dresponse%26attempt%3D2%26nonce%3DaKFfQNI0&openid.trust_root=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fdiagnose-server%2FTestDumbCheckidSetup%2F
      openid.identity	http://simon.example.com/
      openid.mode	checkid_setup
      openid.return_to	http://www.openidenabled.com/resources/openid-test/diagnose-server/TestDumbCheckidSetup/?action=response&attempt=2&nonce=aKFfQNI0
      openid.trust_root	http://www.openidenabled.com/resources/openid-test/diagnose-server/TestDumbCheckidSetup/
      openidserver	1
    *
      Response received:
      action	response
      attempt	2
      nonce	aKFfQNI0
      openid.assoc_handle	{HMAC-SHA1}{45e37199}{5Gk0rA==}
      openid.identity	http://simon.example.com/
      openid.mode	id_res
      openid.return_to	http://www.openidenabled.com/resources/openid-test/diagnose-server/TestDumbCheckidSetup/?action=response&attempt=2&nonce=aKFfQNI0
      openid.sig	zIJJ4ZxP3mDswHvEXnTxiTZ2aKc=
      openid.signed	mode,identity,return_to
    * Server denied check_authentication

This attempt is failing.

================================

The key error mesage appears to be "Server responds that checkAuth
call is not valid", but I'm not sure where I'm going wrong or what my
next step should be.

Here's the core of my server logic:

================================

$store = new Custom_OpenID_Store();
$server = new Auth_OpenID_Server($store);

$GLOBALS['_openidserver_server'] = $server;

$method = $_SERVER['REQUEST_METHOD'];
$request = $_REQUEST;

$request = Auth_OpenID::fixArgs($request);
$request = $server->decodeRequest($request);

if (!$request) {
	openidserver_this_is_an_openid_server();
	exit;
}

if (in_array($request->mode,
		array('checkid_immediate', 'checkid_setup'))) {
	if (openidserver_user_owns_identity($request->identity) &&
		openidserver_is_trusted($request->identity, $request->trust_root)) {
		$response =& $request->answer(true);
	} else if ($request->immediate) {
		$response =& $request->answer(false, openidserver_get_server_url());
	} else {
		if (!openidserver_user_is_logged_in()) {
			echo "You need to log in first!";
			exit;
		} elseif (!openidserver_user_owns_identity($request->identity)) {
			echo "You do not own that identity.";
			exit;
		} else {
			return openidserver_decide_page($request);
			exit;
		}
	}
} else {
	$response =& $server->handleRequest($request);
}
openidserver_send_openid_response($response);
exit;

================================

Any suggestions as to ways I can debug this problem would be welcome.
Is there something obvious that I'm missing?

Cheers,

Simon


From kevin at janrain.com  Mon Feb 26 16:51:23 2007
From: kevin at janrain.com (Kevin Turner)
Date: Mon, 26 Feb 2007 16:51:23 -0800
Subject: Problems implementing dumb mode server using PHP library
In-Reply-To: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
References: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
Message-ID: <1172537483.5808.127.camel@localhost>

On Tue, 2007-02-27 at 00:06 +0000, Simon Willison wrote:
> The failing tests are:
> 
> Successful checkid_setup (dumb mode)
> Successful checkid_immediate (dumb mode)

Unfortunately dumb mode is where that diagnostic tool provides the least
useful feedback, as it doesn't reveal the check_authentication call it
makes or the result.  :-/  Check the logs on the server side.  Make sure
it's receiving a POST with a check_authentication request.  Sounds like
it's responding with is_valid:false.

If that's the case, I think the most likely spots for trouble are either
where the request is being decoded, if it's somehow corrupted so that
when the signature is re-computed it doesn't match, or in the store
configuration, failing to retrieve the association it used in the id_res
response.




From simon at simonwillison.net  Mon Feb 26 17:22:59 2007
From: simon at simonwillison.net (Simon Willison)
Date: Tue, 27 Feb 2007 01:22:59 +0000
Subject: Problems implementing dumb mode server using PHP library
In-Reply-To: <1172537483.5808.127.camel@localhost>
References: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
	<1172537483.5808.127.camel@localhost>
Message-ID: <a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>

On 2/27/07, Kevin Turner <kevin at janrain.com> wrote:
> Unfortunately dumb mode is where that diagnostic tool provides the least
> useful feedback, as it doesn't reveal the check_authentication call it
> makes or the result.  :-/  Check the logs on the server side.  Make sure
> it's receiving a POST with a check_authentication request.  Sounds like
> it's responding with is_valid:false.

Thanks for the pointer. I added debugging code; here's the output:

27-Feb-2007 01:20:43] Request method: POST
[27-Feb-2007 01:20:43]   Query string: openidserver=1
[27-Feb-2007 01:20:43]   Post data: Array
(
    [openid_sig] => 9FE/S8xoxe2OPf4vUR1Y5tpMnYc=
    [openid_return_to] =>
http://www.openidenabled.com/resources/openid-test/diagnose-server/TestDumbCheckidSetup/?action=response&attempt=5&nonce=Rr8YTtr6
    [openid_mode] => check_authentication
    [openid_signed] => mode,identity,return_to
    [openid_assoc_handle] => {HMAC-SHA1}{45e3876a}{hWL9eg==}
    [openid_identity] => http://simon.example.com/
)

[27-Feb-2007 01:20:43] Sent response:
[27-Feb-2007 01:20:43] BODY
[27-Feb-2007 01:20:43] is_valid:true

So it's getting the check_authentication request, and responding with
'is_valid:true'. Anything look out of place there?

Thanks,

Simon


From mike at nthwave.net  Tue Feb 27 07:35:46 2007
From: mike at nthwave.net (Michael Mell)
Date: Tue, 27 Feb 2007 07:35:46 -0800
Subject: Problems implementing dumb mode server using PHP library
In-Reply-To: <a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>
References: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
	<1172537483.5808.127.camel@localhost>
	<a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>
Message-ID: <e664ace3979d84dc86babce1af5e5a11@nthwave.net>

Hi Simon,
I ran into a similar problem recently. The IDP/OP response had a bad  
header Status Line [1]. We're using a Rails-based IDP. The fix was to  
change the deprecated
	render_text resp.body, :status => 200
to
	render :text => resp.body

You can track this down in your code by finding the relevant
         $resp = $this->fetcher->post($server_url, $body);
in your RP OpenID library and examining the response.

Mike

[1] http://www.freesoft.org/CIE/RFC/1945/31.htm

On Feb 26, 2007, at 5:22 PM, Simon Willison wrote:

> On 2/27/07, Kevin Turner <kevin at janrain.com> wrote:
>> Unfortunately dumb mode is where that diagnostic tool provides the  
>> least
>> useful feedback, as it doesn't reveal the check_authentication call it
>> makes or the result.  :-/  Check the logs on the server side.  Make  
>> sure
>> it's receiving a POST with a check_authentication request.  Sounds  
>> like
>> it's responding with is_valid:false.
>
> Thanks for the pointer. I added debugging code; here's the output:
>
> 27-Feb-2007 01:20:43] Request method: POST
> [27-Feb-2007 01:20:43]   Query string: openidserver=1
> [27-Feb-2007 01:20:43]   Post data: Array
> (
>     [openid_sig] => 9FE/S8xoxe2OPf4vUR1Y5tpMnYc=
>     [openid_return_to] =>
> http://www.openidenabled.com/resources/openid-test/diagnose-server/ 
> TestDumbCheckidSetup/?action=response&attempt=5&nonce=Rr8YTtr6
>     [openid_mode] => check_authentication
>     [openid_signed] => mode,identity,return_to
>     [openid_assoc_handle] => {HMAC-SHA1}{45e3876a}{hWL9eg==}
>     [openid_identity] => http://simon.example.com/
> )
>
> [27-Feb-2007 01:20:43] Sent response:
> [27-Feb-2007 01:20:43] BODY
> [27-Feb-2007 01:20:43] is_valid:true
>
> So it's getting the check_authentication request, and responding with
> 'is_valid:true'. Anything look out of place there?
>
> Thanks,
>
> Simon
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev
>



From simon at simonwillison.net  Tue Feb 27 08:14:55 2007
From: simon at simonwillison.net (Simon Willison)
Date: Tue, 27 Feb 2007 16:14:55 +0000
Subject: Problems implementing dumb mode server using PHP library
In-Reply-To: <e664ace3979d84dc86babce1af5e5a11@nthwave.net>
References: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
	<1172537483.5808.127.camel@localhost>
	<a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>
	<e664ace3979d84dc86babce1af5e5a11@nthwave.net>
Message-ID: <a3b4f3b60702270814j34b137cdy9a21b1c13138a8dc@mail.gmail.com>

On 2/27/07, Michael Mell <mike at nthwave.net> wrote:
> I ran into a similar problem recently. The IDP/OP response had a bad
> header Status Line [1]. We're using a Rails-based IDP. The fix was to
> change the deprecated
>         render_text resp.body, :status => 200
> to
>         render :text => resp.body

I'm using PHP rather than Rails. What different does altering this
line of code make in terms of what is returned from the server? If I
understand the difference I may be able to replicate it in PHP.

Thanks,

Simon


From mike at nthwave.net  Tue Feb 27 09:38:46 2007
From: mike at nthwave.net (Michael Mell)
Date: Tue, 27 Feb 2007 09:38:46 -0800
Subject: Problems implementing dumb mode server using PHP library
In-Reply-To: <a3b4f3b60702270814j34b137cdy9a21b1c13138a8dc@mail.gmail.com>
References: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
	<1172537483.5808.127.camel@localhost>
	<a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>
	<e664ace3979d84dc86babce1af5e5a11@nthwave.net>
	<a3b4f3b60702270814j34b137cdy9a21b1c13138a8dc@mail.gmail.com>
Message-ID: <10533548497711b514eba6eca3b24f14@nthwave.net>


On Feb 27, 2007, at 8:14 AM, Simon Willison wrote:

> On 2/27/07, Michael Mell <mike at nthwave.net> wrote:
>> I ran into a similar problem recently. The IDP/OP response had a bad
>> header Status Line [1]. We're using a Rails-based IDP. The fix was to
>> change the deprecated
>>         render_text resp.body, :status => 200
>> to
>>         render :text => resp.body
>
> I'm using PHP rather than Rails. What different does altering this
> line of code make in terms of what is returned from the server? If I
> understand the difference I may be able to replicate it in PHP.

The bad response status line was
	"HTTP/1.1 0 "
It should be
	"HTTP/1.1 200 "

Mike



From simon at simonwillison.net  Tue Feb 27 16:23:18 2007
From: simon at simonwillison.net (Simon Willison)
Date: Wed, 28 Feb 2007 00:23:18 +0000
Subject: Problems implementing dumb mode server using PHP library
In-Reply-To: <a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>
References: <a3b4f3b60702261606j3c281a0gaa65bcf5f6f3d476@mail.gmail.com>
	<1172537483.5808.127.camel@localhost>
	<a3b4f3b60702261722w6c925468y2cf2596ac49bb7f8@mail.gmail.com>
Message-ID: <a3b4f3b60702271623r14013ae0ubc1c63b284665ee3@mail.gmail.com>

I've solved my problem. It turns out all of the weird bugs I was
seeing stemmed from having the include() calls that imported the
JanRain libraries inside a function. This screwed up various global
variables in non-obvious ways. The solution was to move the include()s
to the top of the PHP file, outside of any functions.

Thanks to everyone (here and on IRC) for their help,

Simon


From steve at kostecke.net  Wed Feb 28 19:53:03 2007
From: steve at kostecke.net (Steve Kostecke)
Date: Wed, 28 Feb 2007 22:53:03 -0500
Subject: OpenID-enabled Mailman
Message-ID: <E1HMcLn-0003ts-F9@stasis.kostecke.net>

The "Mailman gets OpenID enabled" announcement says "If you are
interested in running your own OpenID-enabled Mailman, please mail our
developers mailing list." Well, I'd like to OpenID-enable
lists.holyapostles.com and lists.ntp.isc.org.

Thanks,

-- 
Steve Kostecke <steve at kostecke.net>


From kevin at janrain.com  Wed Feb 28 20:28:25 2007
From: kevin at janrain.com (Kevin Turner)
Date: Wed, 28 Feb 2007 20:28:25 -0800
Subject: OpenID-enabled Mailman
In-Reply-To: <E1HMcLn-0003ts-F9@stasis.kostecke.net>
References: <E1HMcLn-0003ts-F9@stasis.kostecke.net>
Message-ID: <1172723305.5808.159.camel@localhost>

On Wed, 2007-02-28 at 22:53 -0500, Steve Kostecke wrote:
> The "Mailman gets OpenID enabled" announcement says "If you are
> interested in running your own OpenID-enabled Mailman, please mail our
> developers mailing list." Well, I'd like to OpenID-enable
> lists.holyapostles.com and lists.ntp.isc.org.

The announcement you're referring to was made a year ago when we hacked
up the instance of Mailman running this list to accept OpenIDs.  More
recently, Barry Warsaw has been talking about adding support to mailman
on a more official basis.  Just last week we were trying to figure out
when we can get together to work on this.  Sounds like it had better be
soon, because you're the third person I've heard ask about it since
then!

If you just can't wait, I can dig up the code that currently runs this
list.  But I'd have to caution you that we haven't tested that patch
against more recent versions of mailman, and I can't promise that it'll
be compatible with any future mailman/OpenID implementations.

Cheers,

 - Kevin