12

I'm going through the dotNetOpenAuth Samples (OpenIdRelyingPartyMVC and OpenIdProviderMvc) and come up to a question for better understanding...

In the MembersArea of the Relying Party App I use the OpenID "http://localhost:4864/user/bob3" for example. I get redirected to the Providers Login Page, where I use the credentials of Bob5 then. After successfully logged in, I get redirected back to the RelyingParty which says "Congratulations Bob3...".

Is this just a Binding Bug in the Relying Party App, which takes the OpenID which was submitted to the Provider, or am I authenticated in the security context of Bob3 with the credentials of Bob5 which would be an major security issue in my opinion, as I am able to authenticate as whoever I want just with one working user account at the provider.

Jürgen Zornig
  • 962
  • 15
  • 41

1 Answers1

2

I think you are using an out-of-date branch which contains a security issue that was discovered 3 years ago:

http://www.zdnet.com/article/dotnet-projects-flawed-sample-code-has-crippling-authentication-exploit/

Code of the flawed controller: https://github.com/DotNetOpenAuth/DotNetOpenAuth.Samples/blob/master/src/OpenID/OpenIdProviderMvc/Controllers/OpenIdController.cs

Fixed code: https://github.com/DotNetOpenAuth/DotNetOpenAuth/blob/develop/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs

Diff of the fix: https://github.com/DotNetOpenAuth/DotNetOpenAuth/commit/cdd3e95f4eac8076ffd78641bf4cf61d4422572a

It seems to me that the "master" branch is out of date, while the "develop" branch is the one that we should use.

Thuan
  • 1,528
  • 1
  • 9
  • 19
  • Thanks for your answer, seems legit, as I used the master branch indeed...give me a day or so to verify this – Jürgen Zornig May 04 '15 at 21:40
  • Perfect answer, thanks a lot! Just inserted the Diff directly into the example code of the OpenIdProviderMvc and it fixed the issue immediately. I used the **"dotNetOpenAuth.Samples"** project on Github, which seems to be outdated...just use the main project instead which contains already patched samples. – Jürgen Zornig May 05 '15 at 15:23
  • Glad that I can help :) – Thuan May 05 '15 at 15:41