6

I want to implement an OpenID login system with latest LightOpenID release. I'm testing the example provided with the source code line by line (I just replaced localhost with $_SERVER['HTTP_HOST'] in the constructor).

The issue is that everything works fine in my development box inside a private network (PHP/5.3.6 on Windows Vista) but validation always fails in my life server at the HSP public network (PHP/5.3.3 on CentOS).

I've added var_dump()'s all around and I can tell you that both copies of the code produce exactly the same request parameters and receive exactly the same response parameters (via GET). Only openid.assoc_handle, openid.sig, openid.response_nonce and openid.return_to have different values, which I guess is the expected behaviour.

However, my dev box receives this from the OpenID provider (no matter which one I use):

is_valid:true
ns:http://specs.openid.net/auth/2.0

... and my live fox receives this:

is_valid:false
ns:http://specs.openid.net/auth/2.0

There aren't any non-ASCII characters involved so it can't be an encoding issue. There must be something wrong in my hosting service but I just can't figure out what.

I need suggestions about possible causes and troubleshooting tips.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360

2 Answers2

11

I've isolated the problem and found a workaround. The request() method makes some auto-detection to find out how to stablish HTTP connections:

protected function request($url, $method='GET', $params=array(), $update_claimed_id=false)
{
    if (function_exists('curl_init')
        && (!in_array('https', stream_get_wrappers()) || !ini_get('safe_mode') && !ini_get('open_basedir'))
    ) {
        return $this->request_curl($url, $method, $params, $update_claimed_id);
    }
    return $this->request_streams($url, $method, $params, $update_claimed_id);
}

In my dev box is uses CURL but in my live box it uses file_get_contents() because the check fails. The reason is that the open_basedir directive is not empty.

If I force LightOpenID to use CURL, everything runs smoothly.

Update #1: LightOpenID was right when deciding that curl was not usable. I found this in the log file:

CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set

As for the file_get_contents() version, I suspect I've found a typo in the library:

Index: lightopenid/openid.php
===================================================================
--- lightopenid/openid.php  (0.60)
+++ lightopenid/openid.php  (working copy)
@@ -349,7 +349,7 @@
             $this->headers = $this->parse_header_array($http_response_header, $update_claimed_id);
         }

-        return file_get_contents($url, false, $context);
+        return $data;
     }

     protected function request($url, $method='GET', $params=array(), $update_claimed_id=false)

I've notified the author and he's confirmed it's a bug. I'll report back if it gets fixed.

Update #2: The bug was fixed in master branch on June 2012. It's still not part of the stable release but can be downloaded from the code repository.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
0

Just a shot in the dark but when I worked with OpenID (not lightopenid) but a library for CodeIgniter, I got a similar issue when my permissions were not set correctly for the nonce cache folder. Maybe its a simple permission issue for storage?

Jakub
  • 20,418
  • 8
  • 65
  • 92
  • As far as I know, LightOpenID does not use storage. But I've found a difference: the live server does not seem to have CURL available and LightOpenID uses `file_get_contents()` instead. I'll try to find out whether it's relevant. – Álvaro González Nov 18 '11 at 19:50