Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discrepancy in user authorization #26

Open
wxpmeonrvib opened this issue Jan 13, 2012 · 0 comments
Open

Discrepancy in user authorization #26

wxpmeonrvib opened this issue Jan 13, 2012 · 0 comments
Assignees
@bmuller
Milestone
release 0.9

Comments

@wxpmeonrvib
Copy link

The functoin "mod_authopenid_check_user_access" checks, if the user (as entered in the Indentity URL field) exists in the "require user A B C" directive. If, in addition to that, the user has a valid session, the module grants permission to enter. But: The "get_claimed_id" (which can defer from the actually entered, e.g. by wrapping in http://*/, or by using https://www.google.com/accounts/o8/id) will actually be used in the user program AND in Apache's Own Authorization:

mod_auth_openid will give green light but Apache will give a 401 Error! And the worst part is, that the user cannot go back, because mod_auth_openid is satisfied by the cookie and the login page will not be shown anymore!
@ghost ghost assigned bmuller Nov 6, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bmuller bmuller

Labels
None yet
Projects
None yet
Milestone
release 0.9
Development

No branches or pull requests
2 participants
@bmuller @wxpmeonrvib