After a long session of debugging I’ve come to the conclusion that it’s not possible to get OpenId working in an AIR app on OSX because of this bug. I’m not sure why I didn’t run into this earlier, maybe it’s a new bug.
In short, whenever the HTML control gets redirected somewhere, it loads that page twice instead of once like it should. That will likely break more than just OpenID. Hell, imagine submitting a form twice or something because of this. Luckily forms don’t usually do a redirect to submit, unluckily OpenID relies on redirects to work.
The specific problem arises when an OpenID provider redirects the user back to the website requesting authentication. The website loads, but then it loads again. Per the OpenID specification, that second load must be rejected by the website because it contains the same openid.response_nonce as the load that happened immiedately before it. So now we have a failure condition and authentication stops. The reason the specification states that, is because a malicious user could use a replay attack to use the same authentication token from someone else over and over again.
Please, go vote on that bug so we can get this fixed.
Luckily, it works fine on Windows and Linux (yeah, AIR in Linux rocks!)
0 Responses to “AIR + OSX + OpenId = Broken”