Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:37 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Mon Jun 29, 2009 9:53 pm 
Offline

Joined: Mon Jun 29, 2009 9:46 pm
Posts: 7
I'm curerntly trying to figure out wherte I can use my very neat little Yubico key (besides this forum, of course).

Facebook says they allows OpenID, so I decided to give that a whirl. It redirects me to the Yubico auth server, where I get this message:

Code:
You entered the server URL at the RP. Please choose the name you wish to use. If you enter nothing, the request will be cancelled.


I've tried various strings in the upper box (no green 'y') but Facebook ends up telling me the authorization was cancelled. Comparing the URL to a working OpenID test service, I see that they're missing a "openid.trust_root" parameter, which I think might be the "RP" part of the error messages. Those URLs:

Facebook, non-working: http://openid.yubico.com/server.php?ope ... oc_handle={HMAC-SHA1}{4a406677}{88qwlg%3D%3D}&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.facebook.com%2F&openid.return_to=https%3A%2F%2Fwww.facebook.com%2Fopenid%2Freceiver.php%3Frequest_id%3D2%26provider_id%3D1039216355268%26context%3Dlink%26protocol%3Dhttps&openid.sreg.optional=postcode%2Ccountry%2Clanguage%2Ctimezone&openid.sreg.required=fullname%2Cemail%2Cdob%2Cgender&openid.ui.lang=en-US&openid.ui.mode=popup

Test service, working: http://openid.yubico.com/server.php?ope ... oc_handle={HMAC-SHA1}{4a491c72}{tY2vVQ%3D%3D}&openid.identity=http%3A%2F%2Fopenid.yubico.com%2Fserver.php%2Fidpage%3Fuser%3Dccccccccekbl&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fcheckup%2FTestCheckidSetup%2F%3Faction%3Dresponse%26attempt%3D1%26nonce%3DkDd5Eds3&openid.trust_root=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fcheckup%2FTestCheckidSetup%2F

Is there any way I can tweak the request URL to get my yubico key working on Facebook?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Jul 10, 2009 8:00 am 
Offline

Joined: Fri Mar 20, 2009 7:02 pm
Posts: 3
I found a way to make this work.

The yubico webpage that asks for the "name you wish to use" has the idSelect tag outside of the form tags. They should really fix that, BUT while on the page, if you view source, copy the source of that page into a new local html page, move the tag, <input type="text" name="idSelect" />, into the <form></form> tags, change the URL to your local file, put your key id into that field and then enter your yubikey, the process WILL work!


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 22, 2009 12:14 am 
Offline

Joined: Mon Jun 29, 2009 9:46 pm
Posts: 7
You sir, are pure gold. Thank you! I'm planning to try this tonight.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 22, 2009 1:34 am 
Offline

Joined: Mon Jul 20, 2009 10:07 pm
Posts: 3
Hi,

I tried this, using Firebug to edit the HTML on page rather than saving to a local file. So the input was moved inside the form. Then I provided 12 characters of my yubikey, generated a OTP which submitted the form.

Facebook seems to have accepted yubico as an OpenID provider - it shows under settings / account settings / linked accounts

BUT... if I am logged out of Facebook I still have to enter my old fashioned username and password, there doesn't seem to be a front-panel option to login with OpenID. I am logged in with Yubico OpenID (according to the yubico site) but Facebook doesn't recognise it. Does this mean Facebook isn't really useful with OpenID?

-Cam


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 23, 2009 3:37 am 
Offline

Joined: Mon Jun 29, 2009 9:46 pm
Posts: 7
tpohl wrote:
I found a way to make this work.

The yubico webpage that asks for the "name you wish to use" has the idSelect tag outside of the form tags. They should really fix that, BUT while on the page, if you view source, copy the source of that page into a new local html page, move the tag, <input type="text" name="idSelect" />, into the <form></form> tags, change the URL to your local file, put your key id into that field and then enter your yubikey, the process WILL work!



I'm having trouble finding that page -- both on the Yubico server as well as my personal OpenID server. It's not my ID page, right? That source:

Code:
<html>
<head>
  <link rel="openid2.provider openid.server" href="http://myname.com/openid/server.php/userXrds?user=ccccccccejby"/>
  <meta http-equiv="X-XRDS-Location" content="http://myname.com/openid/server.php" />
</head>
<body>
  This is the identity page for users of this server.
</body>
</html>


My server.php source:

Code:
<html>
  <head>
    <meta http-equiv="cache-control" content="no-cache"/>
    <meta http-equiv="pragma" content="no-cache"/>
    <title>Yubico OpenID Server - Login to Yubico OpenID Server</title>
    <link rel="stylesheet" type="text/css" href="http://myname.com/openid/openid-server.css" />
  </head>
  <body onLoad="document.login.yubikey.focus();">
   

<div id="content">
    <h1>Login to Yubico OpenID Server</h1>
    <div class="form">
  <p>
    <!-- Enter your Yubikey into this form to log in to this server. -->
    <!-- http://myname.com/openid/server.php/idpage?user=USERNAME -->
  </p>
  <form name="login" method="post" action="http://myname.com/openid/server.php/login">
    <p>

      <b>Yubikey:</b> <input type="yubikey" name="yubikey" id="yubikey" />
      &nbsp;
      <input type="submit" value="Log in" />
    </p>
  </form>
</div>

</div>
  </body>

</html>


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 23, 2009 5:58 am 
Offline

Joined: Mon Jun 29, 2009 9:46 pm
Posts: 7
Found it: the error is in the lib/render/trust.php file.. found in /examples/servers/lib/render/ in the default yubico-php server package. For reference, a fixed version is attached.

Of course, now Facebook validates my OpenID server but doesn't recognize the cookies..


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 23, 2009 6:41 am 
Offline

Joined: Mon Jun 29, 2009 9:46 pm
Posts: 7
From the Facebook developer wiki:

Quote:
OpenID Requirements

We are fully compatible with the spec, although there a few edge cases that Facebook does not yet support.

* OpenID 1.1 providers are not supported, including AOL. We do support OpenID 2.0 providers only.
* XRI is not supported at this time.

Immediate Mode

OpenID authentication works in two modes: checkid_setup and checkid_immediate. When a request is made in immediate mode (checkid_immediate), then the provider will return with a "yes" or "no" response immediate. If the user is both logged in to his or her provider and has previously authorized the website, then the provider should return "yes", thus letting the user log in.

For various reasons, several providers don't support immediate mode. Therefore there's no way to support automatic login for those providers. Notably, both Myspace and Yahoo do not yet support immediate mode.
http://wiki.developers.facebook.com/index.php/OpenID_Requirements


On the discussion page for known OpenID issues:

Quote:
Hi John, Facebook fails because it only supports OpenID 2.0 compliant identities. In your case you do not provide XRDS discovery nor OpenID 2.0 HTML discovery. As you are a Wordpress user, install/update both the wp-openid and xrds-simple Wordpress plugins and then re-setup your delegation. You should be fine then.
http://wiki.developers.facebook.com/index.php/OpenID_Requirements


Is it possible Yubico/yubico-php isn't OpenID 2.0 compliant?


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 23, 2009 7:03 am 
Offline

Joined: Mon Jun 29, 2009 9:46 pm
Posts: 7
editor wrote:
Is it possible Yubico/yubico-php isn't OpenID 2.0 compliant?


I think I figured out the problem. checkid_immedate calls aren't working, and they need to work for Fb to validate an OpenID. More than that, we're working with OpenID 1.0.

This diagnosis tool shows failures in Cancel checkid_setup, Successful checkid_immediate, Cancel checkid_setup (dumb mode), Successful checkid_immediate (dumb mode)

This tool shows it's OpenID version 1:

PHP-OpenID supports 2.x, but I guess the Yubico mod does not.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group