tmarble/nongrata

Authenticate fail

Opened this issue · 4 comments

maacl commented

Using the live version at http://nongrata.info9.net:11300/ I get :

failed authentication:
audience mismatch: domain mismatch

after getting the

recieved encrypted response from
client after asking browserid.org

pop-up.

callahad commented

Looks like the server is expecting to be running and accessed as localhost:

nongrata/src/nongrata/views/login.clj

Line 43 in eda31fd

{:form-params {:assertion assertion :audience "localhost"}})]

The result is that it thinks it's seeing replayed assertions from another domain and aborts the login.

maacl commented

Ah - I will try local install and see if that fares better.

/mac

On Thu, Sep 27, 2012 at 11:05 PM, Dan Callahan notifications@github.comwrote:

Looks like the server is expecting to be running and accessed as localhost:

nongrata/src/nongrata/views/login.clj

Line 43 in eda31fd

{:form-params {:assertion assertion :audience "localhost"}})]

The result is that it thinks it's seeing replayed assertions from another
domain and aborts the login.


Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-8954450.

nickbauman commented

I was never able to get non-localhost auths to work.
On Sep 27, 2012 4:09 PM, "Martin Clausen" notifications@github.com wrote:

Ah - I will try local install and see if that fares better.

/mac

On Thu, Sep 27, 2012 at 11:05 PM, Dan Callahan notifications@github.comwrote:

Looks like the server is expecting to be running and accessed as
localhost:

nongrata/src/nongrata/views/login.clj

Line 43 in eda31fd

{:form-params {:assertion assertion :audience "localhost"}})]

The result is that it thinks it's seeing replayed assertions from
another
domain and aborts the login.


Reply to this email directly or view it on GitHub<
https://github.com/tmarble/nongrata/issues/1#issuecomment-8954450>.


Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-8954860.

nickbauman commented

The problem is with the approach: unless the host is hardcoded, it can't work, can it? It would never be secure. The host has to be something with a real DNS entry or something in the hosts file. Since all we can be sure of in nongrata is the host file of the machine running nongrata, we choose to hardcode localhost.

A "fix" would be to make the host an external file and include this information as part of the install procedure.