try another color:
try another fontsize: 60% 70% 80% 90%
PHP Suit
Useful PHP scripts

Strange OpenID "Bad signature" error

Thu, 12/11/2008 - 23:19 — admin

I've finally solved a strange OpenID "Bad signature" error on my web, which is using PHP OpenID library by JanRain...

Some time ago I realized my OpenID-enabled web starts to reports "Bad signature" error during authentification process. I've found some tips (bad GMP etc.), but it don't help. Moreover, this error appears only with some IDs, like MyOpenID. Other providers, such as ClaimID, was OK.

So I decide it's something with MyOpenID implementation I can't work out.

But today I've tried a new OpenID provider. My first check was the standard OpenID library consumer example (one can find it in the distribution pack in /examples/consumer directory). The result was exactly the same as with MyOpenID: "Bad signature".

I don't know why, but I've tried the same procedure in IE7 (my default browser is FF3, of course). And - SURPRISE! In my IE everything went OK!

I've tried my other OpenIDs - OK. I've tried them in Opera: OK.

Ha! It means there are no problems with math libraries or MyOpenID implementation, but something in (my) Firefox. After one hour poking with Fiddler I realized the first reason: The NoScript addon. I thought the problem is caused by disabling the JavaScript. When I've disabled NoScript plugin for the "myopenid.com" domain, the strange error disappears.

Everything seems solved. But I'd got the strange feeling it isn't the main reason. Fiddler said something about bad domain and FF with Fiddler proxy started throwing some messages about XSS. It was totally strange.

The final workaround was simple and Fiddler heads me off: It's error message says: "Bad domain, HOST is my.server.com, but URL is my.server.com:80". Yes, there it was!

In the /examples/consumer/common.inc you can find this:

function getReturnTo() {
    return sprintf("%s://%s:%s%s/finish_auth.php",
                   getScheme(), $_SERVER['SERVER_NAME'],
                   $_SERVER['SERVER_PORT'],
                   dirname($_SERVER['PHP_SELF']));
}


function getTrustRoot() {
    return sprintf("%s://%s:%s%s/",
                   getScheme(), $_SERVER['SERVER_NAME'],
                   $_SERVER['SERVER_PORT'],
                   dirname($_SERVER['PHP_SELF']));
}

So OpenID library sends TrustRoot and ReturnTo with ":port". I've tried to kick it off, replacing:

function getReturnTo() {
    return sprintf("%s://%s%s/finish_auth.php",
                   getScheme(), $_SERVER['SERVER_NAME'],
                   dirname($_SERVER['PHP_SELF']));
}


function getTrustRoot() {
    return sprintf("%s://%s%s/",
                   getScheme(), $_SERVER['SERVER_NAME'],
                   dirname($_SERVER['PHP_SELF']));
}

... and everything works, with JS disabled!

So if you get "strange" Bad signature error with some OpenID providers and NoScript plugin, try kick off the ":port" part (if you're server admin) or simple turn NoScript for your OpenID provider's domain.