[cl-openid-ticket] [cl-openid] #18: LiveJournal error reponse with HTTP status 200

cl-openid cl-openid-devel at common-lisp.net
Mon Jun 6 08:25:02 UTC 2011 

#18: LiveJournal error reponse with HTTP status 200
------------------------+---------------------------------------------------
 Reporter:  avodonosov  |       Owner:              
     Type:  defect      |      Status:  new         
 Priority:  major       |   Milestone:              
Component:  code        |     Version:  1.0 portable
 Keywords:              |  
------------------------+---------------------------------------------------
 Livejournal OpenID provider started to violate the spec (as I read it) by
 returning error response with HTTP status code 200 OK.

 When I tested Livejournal with cl-openid last time, it worked OK, but now
 it doesn't work.

 The relevant code: association.lisp, the function ASSOCIATE. It performs
 DIRECT-REQUEST and expects it to signal an OPENID-REQUEST-ERROR if the
 provider does not support the requested session type or association type
 ("error_code" = "unsupported-type"). In this case the condition handler
 retries the association request.

 The DIRECT-REQUEST only signals the error if the HTTP request status is
 not 200.

 But livejournal returns HTTP 200 OK and the message body contains
 "error_code" = "unsupported-type".

 I think it's a violation of the spec (see 5.1.2.2. Error Responses in the
 end of this section: http://openid.net/specs/openid-authentication-
 2_0.html#direct_comm and 8.2.4. Unsuccessful Response Parameters in the
 end of this section: http://openid.net/specs/openid-authentication-
 2_0.html#anchor20). Error responses must always be sent with status 400.

 But we have no other choice than support the livejournal behaviour.

 I am not sure where to handle it:

 1. Inside of the DIRECT-REQUTEST, in addition to the HTTP status != 200,
 we may signal an error if the response message contains "error" attribute.

 2. In the ASSOCIATE function, we might in addition to condition handler
 for OPENID-REQUEST-ERROR check that the message has attributes "error";
 and if "error_code" = "unsupported-type" then retry the request with
 adjusted parameters.

 As the section 5.1.2.2. "Error Responses" (http://openid.net/specs/openid-
 authentication-2_0.html#direct_comm) specifies that the "error" attribute
 is mandatory for error responses, the variant 1 seems to be acceptable.

-- 
Ticket URL: <http://trac.common-lisp.net/cl-openid/ticket/18>
cl-openid <http://common-lisp.net/project/cl-openid>
cl-openid

More information about the cl-openid-ticket mailing list