Yubico Forum
https://forum.yubico.com/

Facebook OpenID implementation troubles
https://forum.yubico.com/viewtopic.php?f=16&t=344
Page 1 of 1

Author:  editor [ Mon Jun 29, 2009 9:53 pm ]
Post subject:  Facebook OpenID implementation troubles

I'm curerntly trying to figure out wherte I can use my very neat little Yubico key (besides this forum, of course).

Facebook says they allows OpenID, so I decided to give that a whirl. It redirects me to the Yubico auth server, where I get this message:

Code:
You entered the server URL at the RP. Please choose the name you wish to use. If you enter nothing, the request will be cancelled.


I've tried various strings in the upper box (no green 'y') but Facebook ends up telling me the authorization was cancelled. Comparing the URL to a working OpenID test service, I see that they're missing a "openid.trust_root" parameter, which I think might be the "RP" part of the error messages. Those URLs:

Facebook, non-working: http://openid.yubico.com/server.php?ope ... oc_handle={HMAC-SHA1}{4a406677}{88qwlg%3D%3D}&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.facebook.com%2F&openid.return_to=https%3A%2F%2Fwww.facebook.com%2Fopenid%2Freceiver.php%3Frequest_id%3D2%26provider_id%3D1039216355268%26context%3Dlink%26protocol%3Dhttps&openid.sreg.optional=postcode%2Ccountry%2Clanguage%2Ctimezone&openid.sreg.required=fullname%2Cemail%2Cdob%2Cgender&openid.ui.lang=en-US&openid.ui.mode=popup

Test service, working: http://openid.yubico.com/server.php?ope ... oc_handle={HMAC-SHA1}{4a491c72}{tY2vVQ%3D%3D}&openid.identity=http%3A%2F%2Fopenid.yubico.com%2Fserver.php%2Fidpage%3Fuser%3Dccccccccekbl&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fcheckup%2FTestCheckidSetup%2F%3Faction%3Dresponse%26attempt%3D1%26nonce%3DkDd5Eds3&openid.trust_root=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fcheckup%2FTestCheckidSetup%2F

Is there any way I can tweak the request URL to get my yubico key working on Facebook?

Author:  tpohl [ Fri Jul 10, 2009 8:00 am ]
Post subject:  Re: Facebook OpenID implementation troubles

I found a way to make this work.

The yubico webpage that asks for the "name you wish to use" has the idSelect tag outside of the form tags. They should really fix that, BUT while on the page, if you view source, copy the source of that page into a new local html page, move the tag, <input type="text" name="idSelect" />, into the <form></form> tags, change the URL to your local file, put your key id into that field and then enter your yubikey, the process WILL work!

Author:  editor [ Wed Jul 22, 2009 12:14 am ]
Post subject:  Re: Facebook OpenID implementation troubles

You sir, are pure gold. Thank you! I'm planning to try this tonight.

Author:  Cam [ Wed Jul 22, 2009 1:34 am ]
Post subject:  Re: Facebook OpenID implementation troubles

Hi,

I tried this, using Firebug to edit the HTML on page rather than saving to a local file. So the input was moved inside the form. Then I provided 12 characters of my yubikey, generated a OTP which submitted the form.

Facebook seems to have accepted yubico as an OpenID provider - it shows under settings / account settings / linked accounts

BUT... if I am logged out of Facebook I still have to enter my old fashioned username and password, there doesn't seem to be a front-panel option to login with OpenID. I am logged in with Yubico OpenID (according to the yubico site) but Facebook doesn't recognise it. Does this mean Facebook isn't really useful with OpenID?

-Cam

Author:  editor [ Thu Jul 23, 2009 3:37 am ]
Post subject:  Re: Facebook OpenID implementation troubles

tpohl wrote:
I found a way to make this work.

The yubico webpage that asks for the "name you wish to use" has the idSelect tag outside of the form tags. They should really fix that, BUT while on the page, if you view source, copy the source of that page into a new local html page, move the tag, <input type="text" name="idSelect" />, into the <form></form> tags, change the URL to your local file, put your key id into that field and then enter your yubikey, the process WILL work!



I'm having trouble finding that page -- both on the Yubico server as well as my personal OpenID server. It's not my ID page, right? That source:

Code:
<html>
<head>
  <link rel="openid2.provider openid.server" href="http://myname.com/openid/server.php/userXrds?user=ccccccccejby"/>
  <meta http-equiv="X-XRDS-Location" content="http://myname.com/openid/server.php" />
</head>
<body>
  This is the identity page for users of this server.
</body>
</html>


My server.php source:

Code:
<html>
  <head>
    <meta http-equiv="cache-control" content="no-cache"/>
    <meta http-equiv="pragma" content="no-cache"/>
    <title>Yubico OpenID Server - Login to Yubico OpenID Server</title>
    <link rel="stylesheet" type="text/css" href="http://myname.com/openid/openid-server.css" />
  </head>
  <body onLoad="document.login.yubikey.focus();">
   

<div id="content">
    <h1>Login to Yubico OpenID Server</h1>
    <div class="form">
  <p>
    <!-- Enter your Yubikey into this form to log in to this server. -->
    <!-- http://myname.com/openid/server.php/idpage?user=USERNAME -->
  </p>
  <form name="login" method="post" action="http://myname.com/openid/server.php/login">
    <p>

      <b>Yubikey:</b> <input type="yubikey" name="yubikey" id="yubikey" />
      &nbsp;
      <input type="submit" value="Log in" />
    </p>
  </form>
</div>

</div>
  </body>

</html>

Author:  editor [ Thu Jul 23, 2009 5:58 am ]
Post subject:  Re: Facebook OpenID implementation troubles

Found it: the error is in the lib/render/trust.php file.. found in /examples/servers/lib/render/ in the default yubico-php server package. For reference, a fixed version is attached.

Of course, now Facebook validates my OpenID server but doesn't recognize the cookies..

Author:  editor [ Thu Jul 23, 2009 6:41 am ]
Post subject:  Re: Facebook OpenID implementation troubles

From the Facebook developer wiki:

Quote:
OpenID Requirements

We are fully compatible with the spec, although there a few edge cases that Facebook does not yet support.

* OpenID 1.1 providers are not supported, including AOL. We do support OpenID 2.0 providers only.
* XRI is not supported at this time.

Immediate Mode

OpenID authentication works in two modes: checkid_setup and checkid_immediate. When a request is made in immediate mode (checkid_immediate), then the provider will return with a "yes" or "no" response immediate. If the user is both logged in to his or her provider and has previously authorized the website, then the provider should return "yes", thus letting the user log in.

For various reasons, several providers don't support immediate mode. Therefore there's no way to support automatic login for those providers. Notably, both Myspace and Yahoo do not yet support immediate mode.
http://wiki.developers.facebook.com/index.php/OpenID_Requirements


On the discussion page for known OpenID issues:

Quote:
Hi John, Facebook fails because it only supports OpenID 2.0 compliant identities. In your case you do not provide XRDS discovery nor OpenID 2.0 HTML discovery. As you are a Wordpress user, install/update both the wp-openid and xrds-simple Wordpress plugins and then re-setup your delegation. You should be fine then.
http://wiki.developers.facebook.com/index.php/OpenID_Requirements


Is it possible Yubico/yubico-php isn't OpenID 2.0 compliant?

Author:  editor [ Thu Jul 23, 2009 7:03 am ]
Post subject:  Re: Facebook OpenID implementation troubles

editor wrote:
Is it possible Yubico/yubico-php isn't OpenID 2.0 compliant?


I think I figured out the problem. checkid_immedate calls aren't working, and they need to work for Fb to validate an OpenID. More than that, we're working with OpenID 1.0.

This diagnosis tool shows failures in Cancel checkid_setup, Successful checkid_immediate, Cancel checkid_setup (dumb mode), Successful checkid_immediate (dumb mode)

This tool shows it's OpenID version 1:

PHP-OpenID supports 2.x, but I guess the Yubico mod does not.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/