Tuesday, April 13, 2010

DotNetOpenAuth v3.4.3 released

DotNetOpenAuth has just seen a minor release to v3.4.3.  Fixes center around corner case interoperability issues that cause a very small percentage (<0.5%) of OpenID users to be unable to log into your relying party web sites.  A few other random fixes as well. 

Go download it now.

The OpenID “dot bug”

The most noteworthy fix was a very difficult one to pull off, namely the bug where OpenIDs with trailing dots being unsupported.  Back in the 1990s, classic ASP had the infamous “dot bug” where a trailing dot appended to a URL path would reveal the source code of the server-side script, which was a fatal security hole that was (of course) patched.  I think that this might have inspired the .NET Framework’s Uri class design to include automatically removing trailing dots from each path segment in a Uri instance.  Since FAT and NTFS file systems don’t support trailing dots on filenames, this doesn’t cause any issue if the web is run by Windows file systems. 

But when these URLs are actually OpenIDs, and those OpenIDs contain path segments that are base64 encoded where one of the two assignable characters is a period (ala Yahoo’s pseudonymous OpenIDs), then approximately 1.5% of base64-encoded OpenIDs have trailing periods.  So what’s the problem?  When an OpenID positive assertion comes into an OpenID relying party web site based on .NET with a claimed_id that ends with a period, .NET will quietly strip the period from the claimed_id, causing the login to fail or (arguably worse) to succeed but with OpenID discovery misdirected to the wrong URL (one where the trailing dot is stripped). 

The .NET Framework provides no (supported) way to turn off this dot-stripping behavior.  If your relying party web site is running with Full Trust you can set some internal flags using reflection to suppress the behavior, but it has some nasty side-effects.  If you’re on medium trust, you’re sunk.

But I’m pleased to say that DotNetOpenAuth has a solution, handling both medium and full trust, that is as good as the .NET Framework will allow until a fix in the platform is made.  I won’t bore you with all the gory details on this post, but suffice it to say, that if you just download and use the new version, you’ll be working with OpenIDs even with trailing dots.  Phew.

15 comments:

  1. I noticed that the DotNetOpenAuth package managed to get their documentation (XML I assume) to be visible within the Visual Studio Object Browser. How did you accomplish that? We would like to do the same for a published API and I have not been able to divine the technique from anywhere.

    Please post the solution/link and I will see it.

    Thank you!

    ReplyDelete
  2. The only thing I've done is ship the .xml file right next to the .dll. That seems to get Intellisense to work.
    The real trick was figuring out how to get Intellisense to work for the web.config settings that DotNetOpenAuth adds. :)

    ReplyDelete
  3. Are there any plans for supporting OAuth 2? Where ca i get more info on what is up and coming?

    ReplyDelete
  4. Hi Dusty,

    Yes the next version will have OAuth 2.0 support. See DotNetOpenAuth on Uservoice

    ReplyDelete
  5. Hey

    This site is failing:

    http://dotnetopenauth.net:8000/wiki/Developers/QuickStart

    ReplyDelete
  6. Mind going into the details of how you worked around that bug? For developers interested in making the most of the .Net framework, this post is a tease!

    ReplyDelete
  7. Sorry, Soopahman, it was too complicated and too long ago to explain in a blog post. It's open source though, so knock yourself out in reading the code if you choose.

    ReplyDelete
  8. Sorry to say but the Despite the fact that there is API CHM included, and Samples are included. I really couldn't find anything which is called User Manual. Or anything like Quick Start or Kick Start. You guys have done great job which is usless for dummy like me.

    ReplyDelete
  9. Hey Andrew,
    I am interested in implementing claims based security for WCF HTTP Web service using DotNetOpenAuth.
    Have you done this or do you know if there is another resource that could help with this.

    Thanks.
    Grace

    ReplyDelete
  10. Hi Andrew,
    would you please take a look at the issue I have with the template here :
    http://stackoverflow.com/questions/6410256/asp-net-openid-infocard-rp-template-and-iis-7-5

    basically I'm trying to move the application created to a IIS web server (I changed the .net framework to 4) but it's not working (please find more details on the stackoverflow page)
    thanks

    ReplyDelete
  11. Hi Andrew,

    Would you please help me in follwing issue.
    I want to use DotNetOpenAuth library for implementing OpenId Login in my web application. The web Application is being built in C# for .NET 2.0, and I am not able to find any .NET Library compatible for .NET 2.0 project.

    When I try to add the DotNetOpenAuth .dll, it shows error telling its dependency on .NET 3.5 libraries.

    Please help!! I have exhausted myself researching for it.

    http://stackoverflow.com/questions/8336754/dotnetopenauth-or-any-other-net-open-id-library-for-net-2-0-projects

    Thanks

    ReplyDelete
  12. @Spiritual_Flame, the most recent OpenID implementation for .NET 2.0 is available here: http://code.google.com/p/dotnetopenid/downloads/list

    ReplyDelete
  13. That download link is broken , it says


    Sorry, this download cannot be accessed. We apologize for the inconvenience.

    Our download service was recently discontinued, as announced back in August.

    Please visit the homepage of the project you wish to download for the alternative download location. If you need any assistance, please contact us at info@ohloh.net.

    Would you like to go back to the Ohloh Home Page?

    ReplyDelete
  14. Thanks for the heads up. I've fixed the link.

    ReplyDelete
  15. The link works well now , thanks for fixing.

    ReplyDelete