Hi, Wanted to add that the issue that Tomas Isdal has reported (first post in this thread), is affecting my app's users too.
The default URL for App Engine apps (or services) from the Google Apps dashboard is with "https://"; which will be used in the login URL, resulting in this error. If this were just "http://"; there are no issues. Since SSL support is only for appspot domains and anyway not possible for custom domain mapping, I am OK with not having to use https for appspot too and have redirected users to "http://"; to avoid the issue. Regards, R.Rajkumar On Fri, Jun 18, 2010 at 5:50 AM, Isdal <[email protected]> wrote: > Hi Ikai and thanks for the prompt response. > > I think I found a couple bugs in the 1.3.4 openid implementation, let > me know if I should file a bug report for each of them: > I am using appengine 1.3.4 in eclipse on OS X 10.6. Note that this is > a pain to debug since it has to be done on a live appengine install > because of the UserService emulation when in development mode. > > === > 1: UserServiceFactory.getUserService().createLoginURL( > "https://listshuffle.appspot.com/#q=abc123";, "google.com", > "https://www.google.com/accounts/o8/id";, new HashSet<String>()); > returns > > http://listshuffle.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=http://listshuffle.appspot.com/ > > Note the lack of https in the continue parameter. Instead it seems to > pick http if the page is loaded from http and https if the page is > loaded from https. > > === > 2: Logging in to google openid using the url provided by > UserService.createLoginUrl() will cause Firefox (tested on 3.6.3 and > 3.5.6) to display an ugly warning message, see message 1 in this > thread. > All sample pages of 1.3.4 based google-openid show the same problem, > these are the ones I found: > Java: http://listshuffle.appspot.com/ > Java: http://super-easy.appspot.com/ > Python: http://your-move.appspot.com/ > > Signing in to AOL or yahoo does not trigger the problem, using Safari > (5), Chrome (5) or IE (8) does not display any errors as well. > If I allow myself to speculate it seems like the javascript POST from > a https to a http on the google redirect page > https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%... that is > triggering this. (maybe yahoo and aol are using 302 redirects?) > > === > 3: Manually specifying a https continue parameter > > http://listshuffle.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=https://listshuffle.appspot.com/ > Does not help, the same Firefox warning is displayed (but the return > url is honored, the page is loaded as https when returning). The post > is to > http://listshuffle.appspot.com/_ah/openid_verify?... > no matter if the continue is set to https (since the continue is just > a parameter forwarded to the openid_verify page). > > === > 4: When initiating the openid authentication from an appspot page > loaded using https you will get: > Secure Connection Failed > > The javascript post is for some reason to > https://listshuffle.appspot.com:80/_ah/openid_verify? > confusing the browser since it expects SSL on a https url and there is > no ssl on port 80. This seems to happen in all browsers. > > Removing port 80 does not help, instead it will trigger a 500 Server > Error. > === > > This is what I noticed so far, let me know how you want me to > proceed. > > // Tomas Isdal > > > On Jun 17, 10:20 am, "Ikai L (Google)" <[email protected]> wrote: > > Can you try supplying an HTTPS url as the continue URL? This error is > likely > > occurring because you are forwarding from an HTTPS page to an HTTP page. > > > > > > > > On Wed, Jun 16, 2010 at 11:01 PM, Isdal <[email protected]> wrote: > > > I considering switching my appengine app from the "old" google auth to > > > federated login using openid. > > > > > I am using the new userservice api introduced in 1.3.4. I have a test > > > app running athttp://listshuffle.appspot.com/(sorry for the terrible > > > ui... and complete lack of functionality, it does show the problem > > > though...). > > > > > The problem I have is that in FireFox (tested on 3.6.3 on both OS X > > > and windows) there is an ugly warning displayed just before the > > > redirect back to my page from google, (after the user allows my app). > > > This only happens in Firefox and only for google openid: yahoo and aol > > > does not have the problem. In Safari and Chrome there is no warning. > > > > > The Firefox warning message says: > > > ================= > > > Security Warning: > > > Although this page is encrypted, the information you have entered is > > > to be sent over an unencrypted connection and could easily be read by > > > a third party. > > > > > Are you sure you want to continue sending this information? > > > ================= > > > > > I am using:https://www.google.com/accounts/o8/idas my provider, > > > setting it to null orhttp://www.google.com/accounts/o8/id(no https) > > > does not help. > > > > > Any ideas? > > > Thanks! > > > // Tomas > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Google App Engine" group. > > > To post to this group, send email to [email protected] > . > > > To unsubscribe from this group, send email to > > > [email protected]<google-appengine%[email protected]> > <google-appengine%[email protected]<google-appengine%[email protected]> > > > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/google-appengine?hl=en. > > > > -- > > Ikai Lan > > Developer Programs Engineer, Google App Engine > > Blog:http://googleappengine.blogspot.com > > Twitter:http://twitter.com/app_engine > > Reddit:http://www.reddit.com/r/appengine > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
