Subscribe: ignisvulpis
http://ignisvulpis.blogspot.com/feeds/posts/default
Language: English
Tags:
connect  endpoint https  firefox  google  https connect  https  identity  login  mobile  openid  org  token  user  wallet
Rate this Feed

Feed Details and Statistics
Preview: ignisvulpis

# ignisvulpis

Updated: 2018-03-18T16:45:57.451+01:00

2017-10-15T17:58:20.757+02:00

Some time ago somebody had to solve this math optimization question for their studies and told me about it.

So there is a wall with height h, which has the distance a from a very high "building" and your task, should you accept it, is to find the shortest ladder over the wall that touches the ground and the "building".
(image)
So the function to minimize is L = sqrt((x+a)^2+(h+y)^2).
Because we know that y/a = h/x it follows that y = ah/x.
Using this the length become L = sqrt((x+a)^2+(h+ah/x)^2)
The minimum of that function is not changed if we leave out the sqrt and the derivation of (x+a)^2+(h+ah/x)^2 is (2 (a + x) (-a h^2 + x^3))/x^3
So the minimum x is where this function equals zero, which is if x³ = ah²,
and the length then is L = (a^(2/3) + h^(2/3))^3

Now the thing that I find strange. Please look at this drawing (which is not really correct because the two "y" do not have the same length).

If the angle ACD is 90° then the ladder has minimal length!
We know that ah=xy, so let's square that: a²h²=x²y² and because ACD is 90° xa=y² which yields

a²h²=x²xa and that gives x³=ah² which is exactly what we got by using the calculus.

Do you have a geometric explanation why L is minimal if ACD is 90°?

(image)

CSS Oddities: anonymous inline whitespace nodes

2016-10-17T18:49:05.384+02:00

I learned something today. All started with a @Twitter post by @supersole that there is a new feature in @firefoxnighly that now allows debugging "anonymous inline whitespace" nodes in HTML pages.
https://blog.nightly.mozilla.org/2016/10/17/devtools-now-display-white-space-text-nodes-in-the-dom-inspector/

The post claims that imgimg on the page is rendered differently than (image) imgcrlfwhitespacecrlf(image) img.
I could not believe this. That is stupid right? Which web developer would expect any difference?

Well, it seems that CSS rules - being what they currently are - lead to this unexpected difference.
The CSS spec describes the algorithm to process the HTML here in
In the second HTML fragment the whitespace is deleted by step 2 which gives us
(image) imgcrlfcrlf(image) img.
Step 2 tells us to handle segment breaks ("crlf"). That is described in the
Those rule give us imgspacespaceimg(image) . Which is then again continued to be processed by the Phase I steps 3 and 4. Step 3 does nothing in this example.

Any space immediately following another collapsible space—even one outside the boundary of the inline containing that space, provided they are both within the same inline formatting context—is collapsed to have zero advance width. (It is invisible, but retains its soft wrap opportunity, if any.)
So the remaining two spaces are turned into one (or two - I don't care to check) empty text nodes with zero width but with "soft wrap".

Good to know - maybe. Is this a feature? I expected that everything between two HTMLElements that matches (whitespace)* is completely removed and not inserted into the rendering tree.

Maybe this should be discussed here?: https://github.com/w3c/csswg-drafts/issues
Not my cup of tea.

Thanks to @upsuper who pointed me to the relevant specs.

(image)

2016-10-10T13:56:57.784+02:00

(image) Twitter Cards are around for some time now and I recently wondered how commonly used they are?

There is a nice blog post on Blogger on how to integrate them there but clearly there should be ways for e.g. newspapers to promote their reports by providing summaries and a main image and author information that is not @Twitter specific?  Microformats and schema.org to the rescue?

What does Google do? It seems that JSON-LD is the recommended format.

How would a Twitter Card look in JSON-LD?

Twitter Cards or Rich Cards or @w3c Cards?

Time to standardize!

(image)

2015-03-30T15:52:00.820+02:00

2015-03-07T12:13:53.560+01:00

As I described here

This is cool.

Browse to a Google website and be logged in without the need to remember the super secure password. Sadly this is a closed system as we learned when implementing this for Firefox for Android (Fennec).
See https://bugzilla.mozilla.org/show_bug.cgi?id=1030650

Yes, Fennec can talk to the Authenticator and ask for a "weblogin:" token for "com.google" but the Authenticator answers differently depending on who asks. If Chrome is asking then the returned token redirects you to https://accounts.google.com/ and immediately logs you in, but when you'r Fennec then you are just redirected to https://accounts.google.com/ and have to enter username and password. Bummer.

Anyway: How about using this scheme for Mozilla services and using a Mozilla account on the device or local to the browser (Firefox Sync) if available.

1. browse to e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1030650 (obviously a Mozilla service) and press the login button
2. get redirected to https://accounts.firefox.com/ServiceLogin?service=bugzilla&passive=true&rm=false&continue=https://bugzilla.mozilla.org/show_bug.cgi?id=1030650 &ss=1&scc=1<mpl=bugzilla&emr=1
- on desktop look for Firefox Sync account use it to obtain a token from a token endpoint hosted at mozilla.org
- on Android ask the AccountManager for a weblogin token for "org.mozilla".
5. redirect to the token (the token is an URL). In this case e.g. https://accounts.firefox.com/?t=accesstokenb64&...
6. https://accounts.firefox.com/ validates the token and redirects back to https://bugzilla.mozilla.org/show_bug.cgi?id=1030650
I think this is doable and would benefit the users of Mozilla services.

Next step then (there is always a next step) is to allow third party logins e.g. from githup to bugzilla using x-auto-login.

(image)

2014-11-03T13:57:37.475+01:00

I am using "wget" to get gmail web page and the HTTP response contains the X-Auto-Login header.

I think that Google should standardize this.
Currently Google is using OpenID2 here but it is probably ease to standardize this with OpenID Connect.

`ignisvulpis@namenlos:~/mozilla-central\$ wget -S https://mail.google.com/mail --user-agent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"--2014-11-03 12:23:50--  https://mail.google.com/mailConnecting to 212.201.109.5:8080... connected.Proxy request sent, awaiting response...   HTTP/1.1 302 Moved Temporarily  Content-Type: text/html; charset=UTF-8  Cache-Control: no-cache, no-store, max-age=0, must-revalidate  Pragma: no-cache  Expires: Fri, 01 Jan 1990 00:00:00 GMT  Date: Mon, 03 Nov 2014 11:23:51 GMT  Location: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=googlemail&emr=1  X-Content-Type-Options: nosniff  X-Frame-Options: SAMEORIGIN  X-XSS-Protection: 1; mode=block  Server: GSE  Alternate-Protocol: 443:quic,p=0.01  Connection: closeLocation: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=googlemail&emr=1 [following]--2014-11-03 12:23:51--  https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=googlemail&emr=1Connecting to 212.201.109.5:8080... connected.Proxy request sent, awaiting response...   HTTP/1.1 200 OK  Content-Type: text/html; charset=UTF-8  Strict-Transport-Security: max-age=10893354; includeSubDomains  Set-Cookie: GAPS=1:lAGQAL021CeF4UofSLjbzRnvJw_Eqw:256mW0v3ZoeLVjLo;Path=/;Expires=Wed, 02-Nov-2016 11:23:51 GMT;Secure;HttpOnly;Priority=HIGH  Set-Cookie: GALX=xATUIfBPIN4;Path=/;Secure  X-Frame-Options: DENY  Cache-control: no-cache, no-store  Pragma: no-cache  Expires: Mon, 01-Jan-1990 00:00:00 GMT`
`  Transfer-Encoding: chunked  Date: Mon, 03 Nov 2014 11:23:51 GMT  X-Content-Type-Options: nosniff  X-XSS-Protection: 1; mode=block  Server: GSE  Alternate-Protocol: 443:quic,p=0.01  Connection: closeLength: unspecified [text/html]2014-11-03 12:23:51 (1,44 MB/s) - ‘mail’ saved [70172]ignisvulpis@namenlos:~/mozilla-central\$ `
(image)

2014-09-12T14:04:21.168+02:00

Maybe you are an Android user and wondered how sometimes the browser logs you in without asking for a password?

Well, I wondered but never found the time to investigate.

Thanks to the awesome W3C Web Cryptography Next Steps Workshop and thanks to the usual jet-lag I found that time now. First I thought that this is Google-ism "Chrome does some questionable proprietary trick and knows just how to login to Google accounts". That is half-true.

There is chatter on the chromium list but I seems that the Android browser knows this trick since 2011 and Chrome for Android was released in 2012.

So how does it work?
2. the browser sees that header
3. the browser asks the device's account system for local accounts for the realm parameter of the header (e.g. realm=com.google)
4. the browser asks for a special kind of token from that account
6. the token is an URL - so if the user consents the browser opens that URL
7. the site the URL points to accepts the token
8. the site redirects the browser to the original page the user wants to use

I think this is neat. But why doesn't Google talk about it? Why isn't this standardized at W3C?
Anyway. How can you benefit?
As a user? You already do.
As a website with your own mobile app?
1. Well, Google is probably not issuing tokens for your site. Maybe they do or would do because they want to be an identity provider?...
2. Issue the tokens yourself.
1.  What you need on the Android device is an AccountAuthenticator. (image)
3. let your Account Authenticator from step a generate tokens based on 'String authTokenType="weblogin:" + args;'
4. let your site accept the tokens generated by your Account Authenticator

I think this is a good idea. If your company has an mobile app then build that Account Authenticator. This is even more true if your company has several mobile apps. (Put the authenticator in your own CompanyServices.apk (like Google does with the GooglePlayServices) so you can update independently from your apps.)

You might know that I work for a 100% subsidiary of Deutsche Telekom. Why isn't DT doing this? Don't ask me. I am telling them for years that our own AccountAuthenticator would be "gold". But who listens to me. Working for a big company has its challenges.

Back to wondering... How can we get this or something similar standardized through W3C?

Maybe I should write a blog post to make it more known. But then who reads this blog anyway. ;-)

Thanks for listening. (image)

Web Identity Restart?

2014-02-18T11:31:20.143+01:00

Well, how can you restart something that never started? ... Never mind.

I am wondering whether it makes sense to have a W3C workshop on "Internet Identity" again. http://www.w3.org/2011/identity-ws/

My impression in 2011 was that the common ground was not very broad so the group decided to launch the W3C WebCrypto working group because all agreed that crypto is a precondition to web identity. Now, three years later I do not see much progress in web crypto or web identity (for that matter).

In the meantime the FIDO alliance was established which has HW-based authentication but a license model that requires that implementers are a FIDO alliance member. That is the opposite of a web standard.

So I think that the WebCrypto WG will not give us "identity for the web". Signing/verification/encryption/decryption are too low level and too easy to use wrong. This is not the way to web identity.

Maybe it is time to restart the web identity effort in W3C.(image)

ACM Digital Identity Management

2013-07-09T17:54:36.495+02:00

The call for papers to ACM Digital Identity Management is open http://cccs.ncl.ac.uk/dim2013/

This workshop will explore crucial issues concerning interoperable identity management technologies for the information society.
Identity management has seen a series of development in the recent years. Whereas identity management and federation standards have been solidified and adopted in practice, nations world-wide are investing in electronic identity systems as strong root identities for their citizens offering a promise for strong authentication. Privacy-enhancing identity systems have reached some technical maturity and may offer user authentication with minimal disclosure. At the same time, personal identifiable information and the user's identity has become a commodity to drive the business of global corporations. Whereas such companies sought to bind the users accounts to their unique identity, there has been a reported unrest and anxiety of users because of their diminishing privacy protection.
We see identity at the crossroads. One possibility is the unique identification and strong authentication road that may offer increased trust for e-commerce and increasing cloud services. Another is the road of attribute exchange and leveraging the user's personal identifiable information that may benefit business and help users to have a consistent experience among many mobile compute platforms. Finally, there is the privacy-enhancing identity systems road that may offer additional protection for the user's civil rights. Partially these different roads seem to contradict each other. Research can offer roads less taken that overcome these seeming contradictions and come up with next generation identity solutions.

See you in Berlin in November! (image)

HTTPS EveryWhere Kantara Initiative

2013-06-10T12:20:49.195+02:00

I noticed that when I am logged into https://idp.kantarainitiative.org/ and I then access documents
on kantarainitiative.org there is no SSL protection. This is probably not good.

HTTPS Everywhere to the rescue!

I added my own rule to the HTTPS Everywhere Firefox addon. (Works in Firefox 21.0)

Put the above ruleset into the Firefox Profile folder into a file named e.g. kantarainitiative.xml.
On Windows it should be located in a folder similar to this location:
D:\Users\nennker.axel\AppData\Roaming\Mozilla\Firefox\Profiles\uzmmhdde.default\HTTPSEverywhereUserRules
Now whenever I visit Kantara HTTPSEverywhere redirects Firefox to the SSL protected service.

Support EFF!

(image)

Android SSO

2013-05-30T18:11:13.245+02:00

Google: Standardizing Payments on the Web: Introducing requestAutocomplete()

2013-05-28T14:24:31.883+02:00

2013-05-27T17:22:34.090+02:00

2013-05-24T22:06:56.622+02:00

Oh no! I should never have agreed to that IoT WebSSO  thing.

Every time I revoke that diaper token I am immediately signed back in by the craddle.
(image)

FIDO Alliance

2013-05-17T11:34:57.553+02:00

I am not happy with the FIDO Alliance and their FAQ do not eliminate my concerns.

The major concern beeing: "Why isn't this going straight to a standards body?"
##### The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to implement.
This is what standardization bodies working groups are for. Work on protocols and formats. Work on security considerations. Use the experience of "the community".

So FIDO is developing a protocol and will then present it to one standardization body...
Meanwhile it is a closed thing and it costs relevant amounts of money to join the alliance.
This neither free nor open.

During IIW there were several sessions on FIDO (1, 2). Each full of good intentions and marketing speek but no substance. No real information. You have to join the alliance to get that. Well, ...

Somebody at Nok Nok Labs convinced somebody at Paypal to hire them and found FIDO. Why Google joined despite Google's support for the W3C WebCrypto group I have no idea.

The W3C WebCrypto group is were this belongs. This might need rechartering of the group. But that is doable. Especially if the proposal is backed by a prototype implementation. Especially if it is backed by by Paypal, Lenovo, Google, Nxp and others.

I believe that we need better authentication methods beyond username and password. I think that bring your own (hardware) identiy might work to that goal. I believe that mobile phones, and SIM cards and NFC help to achieve this. I believe that the mobile wallet is the right user interface to choose your identity.

I believe that doing it in a closed group is not the right way.

(image)

(image)

Javascript API for OpenID

2012-11-08T13:24:21.713+01:00

Too long ago I wrote about an Javascript API for openid: all those NASCARs

To repeat the main points:

Sites currently have no easy way to detect support for openid
The site can detect support for openid like so:
`   if (window.openid) { don't show the nascar }`
The DOM level API that allows the site to query the preferred identity provider looks like this:
`   window.openid.getPreferredOpenidProvider(callback);`
In a world of oauth2 and openid connect this could be generalized to:
https://openid.net/specs/openid-connect-standard-1_0.html#rf_prep
`    var parameters = {};    parameters.response_type="id_token";    parameters.client_id="https://server.example.com/seminar/callback.html";    parameters.request = "eyJhbGciOiJSUzI1NiIsIng1dSI6Imh0dHBzOlwvXC9nYWJ1bm9taS5uZXRcL3NlbWluYXJcL3JzYV9wdWJsaWNfa2V5LnBlbSJ9.ewoJInJlc3BvbnNlX3R5cGUiOiAiaWRfdG9rZW4iLAoJInNjb3BlIjogIm9wZW5pZCIsCgkiY2xpZW50X2lkIjogImh0dHBzOi8vZ2FidW5vbWkubmV0L3NlbWluYXIvY2FsbGJhY2suaHRtbCIsCgkicG9saWN5X3VybCI6ICJodHRwczovL2dhYnVub21pLm5ldC9zZW1pbmFyL3BvbGljeS5odG1sIiwKCSJ1c2VyaW5mbyI6IHsKCQkiY2xhaW1zIjogewoJCQkibmFtZSI6IG51bGwsCgkJCSJlbWFpbCI6IG51bGwsCgkJCSJwaWN0dXJlIjogbnVsbAoJCX0KCX0sCgkicmVnaXN0cmF0aW9uIjogewoJCSJhcHBsaWNhdGlvbl9uYW1lIjogIlNhbXBsZSBTZW1pbmFyIiwKCQkibG9nb191cmwiOiAiaHR0cHM6Ly9nYWJ1bm9taS5uZXQvc2VtaW5hci9sb2dvLnBuZyIsCgkJIng1MDlfdXJsIjogImh0dHBzOi8vZ2FidW5vbWkubmV0L3NlbWluYXIvcnNhX3B1YmxpY19rZXkucGVtIgoJfQp9Cg.Faytuhwb2W4CWVz2-10umSieh-bqR7QXqU0bNF39u_D0mGoBD4e3X2b4jZNqPvPADSnQhlBGSJu189iFM5bwFzchnO-quCpj7T2CK_-wkrpL5LUn_WHYMmYlFadmb-a1p-TEo7exU9azMS9cT70-kHNqmTaJziZyiAMoJ0Q4TtyTt1Xbkknc_CQRug3ilNv3bEXSlOlva3HUOY7jQIbYMB3jDL3QxS1wbVYNAjOxCxCDmiNAUJA-BkYe6Tpyj-DUs57IM4wQSp64sqim8RqirJJfFb4bCbNTkC3G8sYfN2_1-qEDpOnWW7N3gjl174TWHbnzVLAZGg_rZm58-wHOLw";    parameters.state="509b9cafd3119";    parameters.nonce="509b9cafd34fd";    window.openid.connect(parameters, oc_callback);`
The callback
`oc_callback`
would be called with one parameter.
`function oc_callback(resp) {  // resp contains a signed then encrypted id_token in jw-* format  // https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption  // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature  // state and nonce are inside the resp parameter too  // need a private key to decrypt it so forward it to my own validation endpoint  \$.post("validate.php", { resp: resp },   function(id_token) {     alert("returned id_token: " + id_token);   }); }`
The general idea is: put all http request parameters which are defined in openid connect into the request object. Put all the http respones parameters into the response object.

I think we need an Javascript API for identity that is supported by browsers. BrowserID/Persona and AccountChooser do something in this direction but not enough. (image)

ECDH-ES for JSON Web Encryption

2012-06-01T19:37:13.688+02:00

The JSON WebToken spec RECOMMENDS that ECDH-ES is implemented. Here we go: Here are the relevant snippets from the JWA spec:4.1. "alg" (Algorithm) Header Parameter Values for JWE alg Parameter ValueKey Encryption or Agreement AlgorithmECDH-ESElliptic Curve Diffie-Hellman Ephemeral Static, as defined in RFC 6090 , and using the Concat KDF, as defined in Section 5.8.1 of NIST.800-56A, where the Digest Method is SHA-256 and all OtherInfo parameters are the empty bit string4.6. Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)This section defines the specifics of agreeing upon a JWE CMK with Elliptic Curve Diffie-Hellman Ephemeral Static, as defined in RFC 6090, and using the Concat KDF, as defined in Section 5.8.1 of NIST.800-56A, where the Digest Method is SHA-256 and all OtherInfo parameters are the empty bit string. The alg header parameter value ECDH-ES is used in this case. A key of size 160 bits or larger MUST be used for the Elliptic Curve keys used with this algorithm. The output of the Concat KDF MUST be a key of the same length as that used by the enc algorithm. An epk (ephemeral public key) value MUST only be used for a single key agreement transaction. Appendix B. Encryption Algorithm Identifier Cross-Reference AlgorithmJWEXML ENCJCAElliptic Curve Diffie-Hellman Ephemeral StaticECDH-EShttp://www.w3.org/2009/xmlenc11#ECDH-ESTBDI could not find a Java implementation in JavaSE and the Bouncycastle library does not seem to have one neither. Bouncycastle does implement keyderivation functions but not the one from NIST.800-56A. Valuable input came from this webpage "Key Derivation Functions: How many KDFs are there?". Taking the Bouncycasle implementation and converting it into KDFconcat is easy and here it is: https://code.google.com/p/openinfocard/source/browse/trunk/src/org/xmldap/crypto/KDFConcatGenerator.javaThe next thing needed are some keypairs for the JUNIT test cases. I generated them using openssl.openssl ecparam -out key1.pem -name secp256r1 -genkeyand displayed them using openssl ec -in key1.pem -textread EC keyPrivate-Key: (256 bit)priv: 07:2f:23:22:c0:e7:5e:0c:85:17:64:b4:21:81:99: 67:78:fd:22:59:2f:87:e5:d4:38:36:09:74:29:a1: c3:fcpub: 04:ed:3c:83:1b:f3:e1:05:9f:12:07:7f:4b:e4:fd: fe:90:55:73:d1:c6:76:45:b4:7d:48:64:ea:17:9d: de:99:86:a9:a6:ad:34:27:4a:80:fc:94:b3:a5:ef: 6c:6e:78:2c:22:7a:39:63:a6:a4:26:50:97:6d:a6: ad:e9:90:a1:61ASN1 OID: prime256v1writing EC key-----BEGIN EC PRIVATE KEY-----MHcCAQEEIAcvIyLA514MhRdktCGBmWd4/SJZL4fl1Dg2CXQpocP8oAoGCCqGSM49AwEHoUQDQgAE7TyDG/PhBZ8SB39L5P3+kFVz0cZ2RbR9SGTqF53emYappq00J0qA/JSzpe9sbngsIno5Y6akJlCXbaat6ZChYQ==-----END EC PRIVATE KEY-----Too bad that the man page does not go into detail in what format priv and pub are... Read the source, Luke! It seems that the priv key D is just the bytes in hex of the private key BigInteger. The public key seems to be something else but this is no problem because in ECC the public key is G*D where G is a curve parameter. So the two private keys are now defined here in the JUNIT tests. One is for the sender of the JWE the other for the recipient. static final String ec256_a_priv = "072f2322c0e75e0c851764b42181996778fd22592f87e5d43836097429a1c3fc"; static final String ec256_b_priv = "1a3eda89dc067871530601f934c6428574f837507c578e45bd10a29b2e019bfb";Now the public keys are computed like this: ASN1ObjectIdentifier oid = ECUtil.getNamedCurveOid("secp256r1"); X9ECParameters x9ECParameters = ECUtil.getNamedCurveByOid(oid); byte[] ec256_a_priv_bytes = Hex.decode(ec256_a_priv); ec256_a_D = new BigInteger(1, ec256_a_priv_bytes); ECPoint pub =[...]

Playing with Google's Identity Toolkit on openinfocard.org

2012-05-24T21:50:35.267+02:00

Today I retried Google's Identity Toolkit.
So I had to undust my rudimentary PHP knowledge and write some scripts and minimal html pages.

Clicking the key hole icon opens the account chooser.

This is the result page. My site now knows some attributes about me like verifiedEmail, display name and imageUrl etc.

Next task: Repeat and rinse with http://accountchooser.net/(image)

Debugging OAuth2 SSL Connections

2012-05-02T17:06:11.497+02:00

Debugging SSL protected protocols like oauth2 can be a problem but it is not entirely impossible nor hard to do.

One way to do it is to spoof the certificates the protocol relies on to protect the communication. The certificates are used by the client to verify that the server is the endpoint it is supposed to be talking to and to encrypt the communication. A good description for the Android operating system is given in this blog post (Intercepting and decrypting SSL communications between Android phone and 3rd party server). Nobody can blame Android for being picked here as an example and ways to do this exist for all operating systems. Yes, to install the certs you need root access; but it well may be that you have that and want to help a friend to debug their installed application on your phone. Even if the client is running on a server it may be worthwhile to debug the network traffic to find certain errors in the client implementation. An error specific to an oauth implementation might be that your friend has a typo in the cliend_id or client_secret and the authorization server is rejecting requests because of that.
It might be hard for you to verify client_id and client_secret by analyzing the client. Maybe they are stored on a UICC or stored encrypted in the file system (and the keystore password is not "changeit") and are only decrypted and used when a resource owner uses the client.
By analyzing the SSL traffic you can help to find this kind of bug and all other related to protocol issues.

But maybe you don't have an SSL server to capture the plain text from an SSL connection?! Then another path you might take is to swap the client's SSL implementation with your own. You don't have to change the client's code or analyze the client's memory. Building your own version of most operating systems with your own SSL implementation is not that hard to do. Or maybe you can just register your SSL implementation to be used with all client code? Or you can swap a library?
There are more ways to achieve your goal.

But make sure that you have your friend's permission first. Not everybody might be happy with the fact that you now know the client_id and client_secret.

Have fun!

(image)

Identity Management @ RSA 2012 Europe

2012-04-28T07:08:08.233+02:00

Sharpen your keyboard and submit a paper for the Identity Management track at RSA Conference Europe 2012. The leading conference on security and all things you need to know.

From the topic description: Identity Management
Identity Management covers issues of access control, authentication, identification technologies & protocols. Sessions on Identity and Access Management (IAM) fit here, along with sessions on IAM standards and architecture. This topic also covers issues such as credential management, multifactor authentication and new methods of authentication.
The Call for Speakers closes on Friday 18th May(image)

Myhabit.com unconfused

2012-04-26T19:10:55.117+02:00

Here the unconfusing part with was censored in one other post about the same UI.

Note the Amazon favicon and URL.(image)

OpenID Connect Test Servers

2012-01-22T11:24:59.274+01:00

Here are some experimental OpenID Connect server configurations: https://connect-op.heroku.com/.well-known/openid-configuration {  "version":"3.0",  "issuer":"https://connect-op.heroku.com",  "authorization_endpoint":"https://connect-op.heroku.com/authorizations/new",  "token_endpoint":"https://connect-op.heroku.com/access_tokens",  "userinfo_endpoint":"https://connect-op.heroku.com/user_info",  "check_id_endpoint":"https://connect-op.heroku.com/id_token",  "registration_endpoint":"https://connect-op.heroku.com/connect/client",  "scopes_supported":[    "openid",    "profile",    "email",    "address",    "PPID"  ],  "response_types_supported":[    "code",    "token",    "id_token",    "code token",    "code id_token",    "id_token token"  ],  "user_id_types_supported":[    "public",    "pairwise"  ],  "x509_url":"https://connect-op.heroku.com/cert.pem"}https://openidconnect.info/.well-known/openid-configuration {  "version":"3.0",  "issuer":"https://openidconnect.info/",  "authorization_endpoint":"https://openidconnect.info/connect/authorize",  "token_endpoint":"https://openidconnect.info/connect/token",  "user_info_endpoint":"https://openidconnect.info/connect/userinfo",  "check_id_endpoint":"https://openidconnect.info/connect/check_session",  "registration_endpoint":"https://openidconnect.info/connect/register",  "scopes_supported":[    "openid",    "profile",    "email",    "address",    "PPID"  ],  "flows_supported":[    "code",    "token",    "code id_token",    "token id_token"  ],  "identifiers_supported":[    "public",    "ppid"  ]}https://connect.openid4.us/.well-known/openid-configuration{  "version":"3.0",  "issuer":"https:\/\/connect.openid4.us",  "authorization_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/auth",  "token_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/token",  "userinfo_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/userinfo",  "check_id_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/check_id",  "refresh_session_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/refreshsession",  "end_session_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/endsession",  "jwk_url":"https:\/\/connect.openid4.us\/connect4us.jwk",  "jwk_encryption_url":"https:\/\/connect.openid4.us\/connect4us.jwk",  "x509_url":"https:\/\/connect.openid4.us\/connect4us.pem",  "x509_encryption_url":"https:\/\/connect.openid4.us\/connect4us.pem",  "registration_endpoint":"https:\/\/connect.openid4.us\/abop\/op.php\/registration",  "scopes_supported":[    "openid",    "profile",&n[...]

Stackoverflow.com OpenID for Firefox Mobile Login

2011-09-26T16:23:48.908+02:00

The version 1.2.1 of OpenID for Firefox Mobile works on more web pages .e.g. stackoverflow.comStackoverflow.com loginYou can either use the toolbar icon to start the OpenID flow OpenID for Firefox Mobile toolbar iconor you can use the page action to start the OpenID flow. OpenID for Firefox Mobile page actionGoogle Accounts AuthorizationStackoverflow.com account creation[...]

n dimensional Ping Space

2011-09-19T13:59:10.042+02:00

 (image) Ping Space
In response to http://connectid.blogspot.com/2011/09/new-line-of-greeting-cards.html(image)

OpenID for Firefox Mobile Android

2011-09-14T12:42:06.614+02:00