So I have a very similar issue, where I'm actually building a Rails-based openid provider but being consumed by another Rails app. I basically adapted the code from
The whole URL was:
http://localhost:3000/openid?openid.assoc_handle=%7BHMAC-SHA1%7D%7B5193d33f%7D%7BdBrUwQ%3D%3D%7D&openid.claimed_id=http%3A%2F%2Flocalhost%3A3000%2Fopenid%2Fwarren&openid.identity=http%3A%2F%2Flocalhost%3A3000%2Fopenid%2Fwarren&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.realm=http%3A%2F%2Flocalhost&openid.return_to=http%3A%2F%2Flocalhost%2Fsession%3F_method%3Dpost%26return_to%3D&openid.sreg.required=nickname%2Cemail
I had a similar problem where the only parameters being reported were:
{"action"=>"index", "controller"=>"openid"}
So, suspecting that some parameter (maybe a period?) was causing it to hiccup, I went through and deleted them one by one until I found that deleting the following parameter enables the entire thing to go through correctly:
openid.mode=checkid_setup
That left all the remaining parameters correctly being parsed:
{"openid.assoc_handle"=>"{HMAC-SHA1}{5193d33f}{dBrUwQ==}",
"openid.claimed_id"=>"http://localhost:3000/openid/warren",
"openid.identity"=>"http://localhost:3000/openid/warren",
"openid.ns"=>"http://specs.openid.net/auth/2.0",
"openid.ns.sreg"=>"http://openid.net/extensions/sreg/1.1",
"openid.realm"=>"http://localhost",
"openid.return_to"=>"http://localhost/session?_method=post&return_to=",
"openid.sreg.required"=>"nickname,email",
"action"=>"index",
"controller"=>"openid"}
I'm now trying to find why openid.mode causes this issue. It fails even if I change it to openid.mode=5, so it's the key, not the value, causing the problem.
Suspecting the ".mode" part of the string for the trouble (maybe ".mode" is a filetype or something being parsed by the routing?) I am looking towards this post on allowing periods, but it only applies to the value, not the key: rails routing and params with a '.' in them
Will report back if I find more.
Update: I tried, in another Rails app, adding ?openid.mode=0 to the end of a URL -- ".mode" does not result in a parameter being read, but ".modes=" does and so does ".mod=". This confirms that ".mode" is causing a params parsing error.
Update 2: yikes... actually "?a.mode=0" does work. So far, only the complete string "openid.mode" does not work, and this is across various Rails apps. "?openid.mode" with nothing else results in: Parameters: {"openid.mode"=>nil}, but "?openid.mode=" with nothing after the "=" fails to pass any parameters besides action & controller. Very odd.
Update 3: OK, figured it out, I believe -- the params were getting sanitized i.e. deleted by the rack-openid gem, in that gem's path: /lib/openid.rb:168, "sanitize_query_string". This seems to be incompatible with the example I was working with: https://github.com/openid/ruby-openid/tree/master/examples/rails_openid. Going to override that method.
Final update: I replaced this line:
oidreq = server.decode_request(params)
with this line, since we could no longer use the now-empty params hash:
oidreq = server.decode_request(Rack::Utils.parse_query(request.env['ORIGINAL_FULLPATH']))
raise params.inspect
in yourreturn
action? – Robin