0

我今天进来发现没有人可以登录到我们使用 DotNetOpenAuth 和 Google Provider 的系统。这几个月来一直运行良好,并且在几周内没有对系统进行更新。我越来越:

ERROR DotNetOpenAuth.Messaging.Bindings - Provider reports signature verification failed.

这现在也发生在我的本地机器上,有谁知道 Google Provider 是否发生了变化?

完整的日志条目如下:

2013-04-19 10:45:32,692 (GMT+1) [41] DEBUG DotNetOpenAuth.Http - HTTP GET https://www.google.com/accounts/o8/id
2013-04-19 10:45:34,863 (GMT+1) [41] DEBUG DotNetOpenAuth.Yadis - An XRDS response was received from GET at user-supplied identifier.
2013-04-19 10:45:34,864 (GMT+1) [41] DEBUG DotNetOpenAuth.Yadis - Total services discovered in XRDS: 1
2013-04-19 10:45:34,864 (GMT+1) [41] DEBUG DotNetOpenAuth.Yadis - [{
    ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select
    ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select
    ProviderEndpoint: https://www.google.com/accounts/o8/ud
    OpenID version: 2.0
    Service Type URIs:
        http://specs.openid.net/auth/2.0/server
        http://openid.net/srv/ax/1.0
        http://specs.openid.net/extensions/ui/1.0/mode/popup
        http://specs.openid.net/extensions/ui/1.0/icon
        http://specs.openid.net/extensions/pape/1.0
},]
2013-04-19 10:45:34,864 (GMT+1) [41] DEBUG DotNetOpenAuth.Yadis - Skipping HTML discovery because XRDS contained service endpoints.
2013-04-19 10:45:34,865 (GMT+1) [41] INFO  DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: https://www.google.com/accounts/o8/id
2013-04-19 10:45:34,865 (GMT+1) [41] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list.
2013-04-19 10:45:34,865 (GMT+1) [41] DEBUG DotNetOpenAuth.OpenId - Creating authentication request for user supplied Identifier: https://www.google.com/accounts/o8/id
2013-04-19 10:45:34,865 (GMT+1) [41] DEBUG DotNetOpenAuth.OpenId - Could not determine whether OP supported Sreg or AX.  Using both extensions.
2013-04-19 10:45:34,866 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckIdRequest (2.0) message.
2013-04-19 10:45:34,866 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElementRelyingParty applied to message.
2013-04-19 10:45:34,866 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2013-04-19 10:45:34,866 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2013-04-19 10:45:34,867 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message.
2013-04-19 10:45:34,867 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - ReturnTo signed data: 
    dnoa.return_to_sig_handle: lD0z
    dnoa.userSuppliedIdentifier: https://www.google.com/accounts/o8/id
    ReturnUrl: /

2013-04-19 10:45:34,868 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement applied to message.
2013-04-19 10:45:34,868 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2013-04-19 10:45:34,868 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2013-04-19 10:45:34,868 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySigningBindingElement did not apply to message.
2013-04-19 10:45:34,868 (GMT+1) [41] INFO  DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckIdRequest (2.0) message for https://www.google.com/accounts/o8/ud: 
    openid.claimed_id: http://specs.openid.net/auth/2.0/identifier_select
    openid.identity: http://specs.openid.net/auth/2.0/identifier_select
    openid.assoc_handle: 1.AMlYA9UWwIc6XwY3cBNwCRCb96aKYV7c5ziaDzzlXemScowZoxyJRv1RWXCuoJSd4AEQj_w6m14sSA
    openid.return_to: http://localhost:63854/Account/Logon?ReturnUrl=%2F&dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&dnoa.return_to_sig_handle=lD0z&dnoa.return_to_sig=HIgme5MYRRBZYU8nkKMW1fM9K6%2BQJreG0OPqatItleY%3D
    openid.realm: http://localhost:63854/
    openid.mode: checkid_setup
    openid.ns: http://specs.openid.net/auth/2.0
    openid.ns.sreg: http://openid.net/extensions/sreg/1.1
    openid.sreg.required: 
    openid.sreg.optional: country
    openid.ns.alias3: http://openid.net/srv/ax/1.0
    openid.alias3.if_available: alias1,alias2
    openid.alias3.mode: fetch_request
    openid.alias3.type.alias1: http://axschema.org/contact/country/home
    openid.alias3.count.alias1: 1
    openid.alias3.type.alias2: http://schema.openid.net/contact/country/home
    openid.alias3.count.alias2: 1

2013-04-19 10:45:34,868 (GMT+1) [41] DEBUG DotNetOpenAuth.Messaging.Channel - Sending message: CheckIdRequest
2013-04-19 10:45:34,869 (GMT+1) [41] DEBUG DotNetOpenAuth.Http - Redirecting to https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=1.AMlYA9UWwIc6XwY3cBNwCRCb96aKYV7c5ziaDzzlXemScowZoxyJRv1RWXCuoJSd4AEQj_w6m14sSA&openid.return_to=http%3A%2F%2Flocalhost%3A63854%2FAccount%2FLogon%3FReturnUrl%3D%252F%26dnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fwww.google.com%252Faccounts%252Fo8%252Fid%26dnoa.return_to_sig_handle%3DlD0z%26dnoa.return_to_sig%3DHIgme5MYRRBZYU8nkKMW1fM9K6%252BQJreG0OPqatItleY%253D&openid.realm=http%3A%2F%2Flocalhost%3A63854%2F&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.sreg.required=&openid.sreg.optional=country&openid.ns.alias3=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.alias3.if_available=alias1%2Calias2&openid.alias3.mode=fetch_request&openid.alias3.type.alias1=http%3A%2F%2Faxschema.org%2Fcontact%2Fcountry%2Fhome&openid.alias3.count.alias1=1&openid.alias3.type.alias2=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fcountry%2Fhome&openid.alias3.count.alias2=1
2013-04-19 10:46:19,674 (GMT+1) [16] WARN  DotNetOpenAuth.OpenId - Raising minimum OpenID version requirement for Providers to 2.0 to protect this stateless RP from replay attacks.
2013-04-19 10:46:19,675 (GMT+1) [16] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:63854/Account/Logon?ReturnUrl=%2F&dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&dnoa.return_to_sig_handle=lD0z&dnoa.return_to_sig=HIgme5MYRRBZYU8nkKMW1fM9K6%2BQJreG0OPqatItleY%3D&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-04-19T09%3A46%3A01ZS6XpwR4ZQavZPg&openid.return_to=http%3A%2F%2Flocalhost%3A63854%2FAccount%2FLogon%3FReturnUrl%3D%252F%26dnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fwww.google.com%252Faccounts%252Fo8%252Fid%26dnoa.return_to_sig_handle%3DlD0z%26dnoa.return_to_sig%3DHIgme5MYRRBZYU8nkKMW1fM9K6%252BQJreG0OPqatItleY%253D&openid.assoc_handle=1.AMlYA9UWwIc6XwY3cBNwCRCb96aKYV7c5ziaDzzlXemScowZoxyJRv1RWXCuoJSd4AEQj_w6m14sSA&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=ZFvM0jP6No50OcWkMESKqtwO3s1Q5m8DmG3IW5RnpyQ%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk
2013-04-19 10:46:19,675 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://localhost:63854/Account/Logon?ReturnUrl=%2F&dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&dnoa.return_to_sig_handle=lD0z&dnoa.return_to_sig=HIgme5MYRRBZYU8nkKMW1fM9K6%2BQJreG0OPqatItleY%3D&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-04-19T09%3A46%3A01ZS6XpwR4ZQavZPg&openid.return_to=http%3A%2F%2Flocalhost%3A63854%2FAccount%2FLogon%3FReturnUrl%3D%252F%26dnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fwww.google.com%252Faccounts%252Fo8%252Fid%26dnoa.return_to_sig_handle%3DlD0z%26dnoa.return_to_sig%3DHIgme5MYRRBZYU8nkKMW1fM9K6%252BQJreG0OPqatItleY%253D&openid.assoc_handle=1.AMlYA9UWwIc6XwY3cBNwCRCb96aKYV7c5ziaDzzlXemScowZoxyJRv1RWXCuoJSd4AEQj_w6m14sSA&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=ZFvM0jP6No50OcWkMESKqtwO3s1Q5m8DmG3IW5RnpyQ%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk
2013-04-19 10:46:19,676 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: PositiveAssertionResponse
2013-04-19 10:46:19,676 (GMT+1) [16] INFO  DotNetOpenAuth.Messaging.Channel - Processing incoming PositiveAssertionResponse (2.0) message:
    openid.claimed_id: https://www.google.com/accounts/o8/id?id=AItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk
    openid.identity: https://www.google.com/accounts/o8/id?id=AItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk
    openid.sig: ZFvM0jP6No50OcWkMESKqtwO3s1Q5m8DmG3IW5RnpyQ=
    openid.signed: op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
    openid.assoc_handle: 1.AMlYA9UWwIc6XwY3cBNwCRCb96aKYV7c5ziaDzzlXemScowZoxyJRv1RWXCuoJSd4AEQj_w6m14sSA
    openid.op_endpoint: https://www.google.com/accounts/o8/ud
    openid.return_to: http://localhost:63854/Account/Logon?ReturnUrl=%2F&dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&dnoa.return_to_sig_handle=lD0z&dnoa.return_to_sig=HIgme5MYRRBZYU8nkKMW1fM9K6%2BQJreG0OPqatItleY%3D
    openid.response_nonce: 2013-04-19T09:46:01ZS6XpwR4ZQavZPg
    openid.mode: id_res
    openid.ns: http://specs.openid.net/auth/2.0
    ReturnUrl: /
    dnoa.userSuppliedIdentifier: https://www.google.com/accounts/o8/id
    dnoa.return_to_sig_handle: lD0z
    dnoa.return_to_sig: HIgme5MYRRBZYU8nkKMW1fM9K6+QJreG0OPqatItleY=

2013-04-19 10:46:19,676 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2013-04-19 10:46:19,676 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Verifying incoming PositiveAssertionResponse message signature of: ZFvM0jP6No50OcWkMESKqtwO3s1Q5m8DmG3IW5RnpyQ=
2013-04-19 10:46:19,676 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckAuthenticationRequest (2.0) message.
2013-04-19 10:46:19,676 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElementRelyingParty did not apply to message.
2013-04-19 10:46:19,677 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2013-04-19 10:46:19,677 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2013-04-19 10:46:19,677 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2013-04-19 10:46:19,677 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySigningBindingElement did not apply to message.
2013-04-19 10:46:19,677 (GMT+1) [16] INFO  DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckAuthenticationRequest (2.0) message for https://www.google.com/accounts/o8/ud: 
    openid.return_to: http://localhost:63854/Account/Logon?ReturnUrl=%2F&dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&dnoa.return_to_sig_handle=lD0z&dnoa.return_to_sig=HIgme5MYRRBZYU8nkKMW1fM9K6%2BQJreG0OPqatItleY%3D
    openid.mode: check_authentication
    openid.ns: http://specs.openid.net/auth/2.0
    openid.claimed_id: https://www.google.com/accounts/o8/id?id=AItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk
    openid.identity: https://www.google.com/accounts/o8/id?id=AItOawkjhoACXLQwQ3fUFYWcX6-IIBdkkIl2cFk
    openid.sig: ZFvM0jP6No50OcWkMESKqtwO3s1Q5m8DmG3IW5RnpyQ=
    openid.signed: op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
    openid.assoc_handle: 1.AMlYA9UWwIc6XwY3cBNwCRCb96aKYV7c5ziaDzzlXemScowZoxyJRv1RWXCuoJSd4AEQj_w6m14sSA
    openid.op_endpoint: https://www.google.com/accounts/o8/ud
    openid.response_nonce: 2013-04-19T09:46:01ZS6XpwR4ZQavZPg
    ReturnUrl: /
    dnoa.userSuppliedIdentifier: https://www.google.com/accounts/o8/id
    dnoa.return_to_sig_handle: lD0z
    dnoa.return_to_sig: HIgme5MYRRBZYU8nkKMW1fM9K6+QJreG0OPqatItleY=

2013-04-19 10:46:19,677 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Channel - Sending CheckAuthenticationRequest request.
2013-04-19 10:46:21,457 (GMT+1) [16] DEBUG DotNetOpenAuth.Http - HTTP POST https://www.google.com/accounts/o8/ud
2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Channel - Received CheckAuthenticationResponse response.
2013-04-19 10:46:22,625 (GMT+1) [16] INFO  DotNetOpenAuth.Messaging.Channel - Processing incoming CheckAuthenticationResponse (2.0) message:
    is_valid: false
    ns: http://specs.openid.net/auth/2.0

2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySigningBindingElement did not apply to message.
2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElementRelyingParty did not apply to message.
2013-04-19 10:46:22,625 (GMT+1) [16] DEBUG DotNetOpenAuth.Messaging.Channel - After binding element processing, the received CheckAuthenticationResponse (2.0) message is: 
    is_valid: false
    ns: http://specs.openid.net/auth/2.0

2013-04-19 10:46:22,625 (GMT+1) [16] ERROR DotNetOpenAuth.Messaging.Bindings - Provider reports signature verification failed.
4

1 回答 1

0

从日志中,您的 RP 配置错误。看起来至少当肯定断言返回时,您实例化了OpenIdRelyingParty一个空关联存储(或者可能根本没有),而OpenIdRelyingParty您用来启动登录的实例确实有一个关联存储。

我注意到openid.assoc_handle请求中有一个参数,并且该参数的相同值在肯定断言响应中。check_auth然而,RP 仍然在消息中将该关联句柄发送到 Provider 端点。那是错误的。谷歌将其拒绝为无效是正确的。

最快的解决方法是传递null给所有OpenIdRelyingParty构造函数,强制您的 RP 进入“哑模式”,使其停止使用共享关联。这应该使最终check_auth调用成功。理想情况下,您希望使用关联存储,其关联在此 Web 应用程序的所有服务器之间共享(如果您在网络场中),并且每次构建OpenIdRelyingParty.

于 2013-04-22T13:20:16.453 回答