All geek questions in one place

Errors using python-openid and Google Apps Federated Login

UPDATE

I managed to get it to work, although I'm not quite sure why;) It seems that python-openid uses a POST request to publish openid mode = associate, and for some reason Google doesn't like it. When I fixed python-openid to use a GET request, everything worked fine. I will continue my investigation and update this post when I have more information. The following is the difference of my changes.

  --- python-openid-2.2.1.orig / openid / consumer / consumer.py
 +++ python-openid-2.2.1 / openid / consumer / consumer.py
 @@ -229.6 +229.20 @@
      # Process response in separate function that can be shared by async code.
      return _httpResponseToMessage (resp, server_url)

 + def makeKVGet (request_message, server_url):
 + "" "Make a Direct Request to an OpenID Provider and return the
 + result as a Message object.
 +
 + @raises openid.fetchers.HTTPFetchingError: if an error is
 + encountered in making the HTTP post.
 +
 + @rtype: L {openid.message.Message}
 + "" "
 + # XXX: TESTME
 + resp = fetchers.fetch (request_message.toURL (server_url))
 +
 + # Process response in separate function that can be shared by async code.
 + return _httpResponseToMessage (resp, server_url)

  def _httpResponseToMessage (response, server_url):
      "" "Adapt a POST response to a Message.
 @@ -682.6 +696.7 @@
          return true

      _makeKVPost = staticmethod (makeKVPost)
 + _makeKVGet = staticmethod (makeKVGet)

      def _checkSetupNeeded (self, message):
          "" "Check an id_res message to see if it is a
 @@ -1258.7 +1273.7 @@
              endpoint, assoc_type, session_type)

          try:
 - response = self._makeKVPost (args, endpoint.server_url)
 + response = self._makeKVGet (args, endpoint.server_url)
          except fetchers.HTTPFetchingError, why:
              oidutil.log ('openid.associate request failed:% s'% (why [0],))
              return none

Old question saved for context

I was desperately trying to get the trac-authopenid plugin to work, but no luck.

We use Google Apps Premier at work, so I'm trying to get openid auth to work with this. I think I created all the necessary materials (XRDS, etc.), as far as google is concerned, and I got it so that it works fine with apache2 + mod-auth-openid , and also use it on other sites (e.g. , SO).

But I can not get it to work with trac-authopenid. I am redirected (via a form post, not a redirect, as usual) to Google, where I can log in, but when I return the plugin, it simply states that the validation failed.

If I turn on debug logging, I get this (I replaced our domain name example.com)

2010-01-27 12:21:15,811 Trac[authopenid] DEBUG: beginning OpenID authentication. 2010-01-27 12:21:16,866 Trac[authopenid] DEBUG: kvToSeq warning: Line 1 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n 2010-01-27 12:21:16,866 Trac[authopenid] DEBUG: kvToSeq warning: Line 2 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n 2010-01-27 12:21:16,866 Trac[authopenid] DEBUG: kvToSeq warning: Line 3 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n ... snipped, repeats until line 9... 2010-01-27 12:21:16,867 Trac[authopenid] DEBUG: openid.associate request failed: bad status code from server https://www.google.com/a/example.com/o8/ud?be= 2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root href: /trac 2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root abs_href: https://developer.example.com/trac 2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root href: /trac 2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root abs_href: https://developer.example.com/trac 2010-01-27 12:21:16,869 Trac[authopenid] DEBUG: Generated checkid_setup request to https://www.google.com/a/example.com/o8/ud?be=o8 using stateless mode. 2010-01-27 12:21:18,068 Trac[main] DEBUG: Dispatching <Request "GET u'/openidprocess'"> 2010-01-27 12:21:18,075 Trac[session] DEBUG: Retrieving session for ID '25a842642693232301aad341' 2010-01-27 12:21:18,078 Trac[authopenid] DEBUG: Error attempting to use stored discovery information: <openid.consumer.consumer.TypeURIMismatch: Required ty 2010-01-27 12:21:18,078 Trac[authopenid] DEBUG: Attempting discovery to verify endpoint 2010-01-27 12:21:18,078 Trac[authopenid] DEBUG: Performing discovery on http://example.com/openid?id=113663311178245814720 2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: Received id_res response from https://www.google.com/a/example.com/o8/ud?be=o8 using association AOQobUefon 2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: Using OpenID check_authentication 2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: op_endpoint 2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: claimed_id 2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: identity 2010-01-27 12:21:18,122 Trac[authopenid] DEBUG: return_to 2010-01-27 12:21:18,122 Trac[authopenid] DEBUG: response_nonce 2010-01-27 12:21:18,122 Trac[authopenid] DEBUG: assoc_handle 2010-01-27 12:21:18,576 Trac[authopenid] DEBUG: kvToSeq warning: Line 1 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n 2010-01-27 12:21:18,577 Trac[authopenid] DEBUG: kvToSeq warning: Line 2 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n 2010-01-27 12:21:18,577 Trac[authopenid] DEBUG: kvToSeq warning: Line 3 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n ... snipped, repeats until line 9... 2010-01-27 12:21:18,578 Trac[authopenid] DEBUG: check_authentication failed: bad status code from server https://www.google.com/a/example.com/o8/ud?be=o8: 501

I tried writing code directly against the python-openid library to narrow it down a bit, but I don't know. I was able to reproduce the error using this piece of code:

 from openid.store.memstore import MemoryStore from openid.consumer import consumer session = { 'id' : 'foobar' } store = MemoryStore() consumer = consumer.Consumer(session, store) consumer.begin('https://www.google.com/accounts/o8/site-xrds?hd=example.com')

which sequentially outputs

 kvToSeq warning: Line 1 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Not Implemented</H1>\n<H2>Error 501</H2>\n</BODY>\n</HTML>\n' kvToSeq warning: Line 2 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Not Implemented</H1>\n<H2>Error 501</H2>\n</BODY>\n</HTML>\n' kvToSeq warning: Line 3 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Not Implemented</H1>\n<H2>Error 501</H2>\n</BODY>\n</HTML>\n' ... snip ... openid.associate request failed: bad status code from server https://www.google.com/a/example.com/o8/ud?be=o8: 501

Some version numbers:

 Python 2.6.2 trac-authopenid 0.1.6 python-openid 2.2.1

I have a complete loss, and I really can help.

+4
source share
2 answers

Good. I don’t have an Apps account, so I can’t test the login, but I can successfully communicate with the application domain using python-openid 2.2.4. Here is a small debugging tool for association requests: http://gist.github.com/288560

Your patch should not have fixed things; Bind requests are always POST . And the Ruby library always has POST, so if rpxnow hasn’t done some unusual modifications, rpxnow should not work if python-openid isn’t working here.

I was going to ask you about openid.store in your installation, but if your minimal example with a MemoryStore plays it, it is not it.

I think the only thing left of you is to invite you to contact Google Apps support.

+2
source

You mentioned that you are using python 2.6.2 with python-openid. The README file's Requirements section displays only Python 2.3, 2.4, or 2.5 lists. Good to hear that you work it.

0
source

Source: https://habr.com/ru/post/1299557/

More articles:


All Articles