[ https://issues.jboss.org/browse/SEAMSECURITY-72?page=com.atlassian.jira.p... ] Marek Schmidt commented on SEAMSECURITY-72: ------------------------------------------- Downgrading OpenID4Java from 0.9.6 (which fixes a security issue) to 0.9.5 seems to make the test happy, so it is probably caused by some change of behaviour of the library. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SEAMSECURITY-72?page=com.atlassian.jira.p... ] Marek Schmidt commented on SEAMSECURITY-72: ------------------------------------------- The problem seems to be in OpenIdProviderAuthenticationService {noformat} Message authResponse = openIdServerManager.get().authResponse(parameterList, opLocalIdentifier, claimedIdentifier, authenticationSuccesful); if (response instanceof DirectError) { writeMessageToResponse(authResponse, response); } else { if (openIdProviderRequest.get().getRequestedAttributes() != null) { try { FetchResponse fetchResponse = FetchResponse.createFetchResponse(openIdProviderRequest.get().getFetchRequest(), attributeValues); authResponse.addExtension(fetchResponse); } catch (MessageException e) { throw new RuntimeException(e); } } {noformat} The authResponse signs the message before the extension is added, therefore the signature is invalid. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SEAMSECURITY-72?page=com.atlassian.jira.p... ] Marek Schmidt updated SEAMSECURITY-72: -------------------------------------- Status: Resolved (was: Pull Request Sent) Resolution: Done fixed the problem was not apparent before, as the openid4java 0.9.5 had a bug and didn't check the AX signatures at all. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira