Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

InternalOpenIDError: Failed to verify assertion

See original GitHub issue

Hello,

I’ve been running in this issue all day, and I still don’t know totally how to fix it.

I’ve got this error with this module, both on node 4.4 and node 6.0

InternalOpenIDError: Failed to verify assertion
    at D:\Projects\csgo\node_modules\passport-steam\node_modules\passport-openid-node6support\lib\passport-openid\strate
gy.js:184:36
    at Object.openid.verifyAssertion (D:\Projects\csgo\node_modules\passport-steam\node_modules\passport-openid-node6sup
port\node_modules\openid\openid.js:916:14)
    at openid.RelyingParty.verifyAssertion (D:\Projects\csgo\node_modules\passport-steam\node_modules\passport-openid-no
de6support\node_modules\openid\openid.js:65:10)

So naturally I digged in the source code, and changed this line:

  , OpenIDStrategy = require('passport-openid-node6support').Strategy

to:

  , OpenIDStrategy = require('passport-openid').Strategy

This resolved the issue on node 4.4, but got an error on node 6.0 (that’s why that modules is created i guess):

error: An uncaught exception has taken place! TypeError: params.hasOwnProperty is not a function
    at _checkSignatureUsingProvider (D:\Projects\csgo\node_modules\passport-openid\node_modules\openid\openid.js:1148:15
)
    at _checkSignature (D:\Projects\csgo\node_modules\passport-openid\node_modules\openid\openid.js:1083:5)
    at _verifyAssertionAgainstProviders (D:\Projects\csgo\node_modules\passport-openid\node_modules\openid\openid.js:104
7:12)

Anyone has fixed that first issue? There where some discussions with the same issue, but nothing fixed that for me (relevant: #27 ). These are part of my code:

passport.use(new SteamStrategy({
        returnURL: 'http://**snap**/api/auth/return',
        realm: 'http://**snap**',
        apiKey: config.get('apiKey'),
        stateless: true
    },
    function(identifier, profile, done) {
        console.log(identifier); //Logging output
        console.log(profile);
        profile.identifier = identifier;
        return done(null, profile);
    }
));

router.route('/')
    .get(passport.authenticate('steam'));

router.route('/return')
    .get(passport.authenticate('steam', { failureRedirect: '/' }),
        function (req, res) {
            console.log(req.user);
            res.redirect('/');
        }
    );

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Reactions:6
  • Comments:60 (9 by maintainers)

github_iconTop GitHub Comments

27reactions
Burnett01commented, Jul 7, 2016

Before I start with the explanation of this issue, here the main facts:

  • This is not an issue of passport-steam
  • This is not an issue of node-openid
  • This is not an issue of passport-openid
  • This issue only appears when an express.js router is used

Let us start with the following setup:

app.js:

var authRoutes = require('./routes/auth.js');
app.use('/auth', authRoutes );

/routes/auth.js:

var express = require('express');
var router = express.Router();

router.get('/steam',
   passport.authenticate('steam', { failureRedirect: '/' }),
   function(req, res) {
      res.redirect('/');
   });

router.get('/steam/response',
   passport.authenticate('steam', { failureRedirect: '/' }),
   function(req, res) {
      res.redirect('/');
   });

module.exports = router;

SteamStrategy configuration:

new SteamStrategy({
    returnURL: 'http://localhost:3000/auth/steam/response',
    realm: 'http://localhost:3000/',
    apiKey: 'Your API key here'
}

Now try to authenticate and you will receive the error “Failed to verify assertion”.

The error-message “Failed to verify assertion” is just a header for a more specific error. To find out what kind of error is returned, we need to inspect the attached openidError object.

Simply pass a callback to the passport.authenticate method:

router.get('/steam/response',
   passport.authenticate('steam', function(err){
      console.log(err); // Returns the openidError object
   });

The route above will not continue since we didn’t specify any res.send nor next(). This not important cus we only want to receive the error object in our console.

Once ran, the following error was returned:

openidError: { message: ‘Invalid return URL’ } }

As you can see, the return URL appeard to be invalid. So I checked the return URL with my SteamStrategy configuration, but nothing seemed wrong.

node-openid/openid.js Going deeper by following the error-stack, I found out that in the node-openid module, the pathname of the assertionUrl did not match the received pathname.

if (originalReturnUrl.protocol !== receivedReturnUrl.protocol || // Verify scheme against original return URL
      originalReturnUrl.host !== receivedReturnUrl.host || // Verify authority against original return URL
      assertionUrl.pathname !== receivedReturnUrl.pathname) { // Verify path against current request URL
        console.log(assertionUrl.pathname); //<-- Wrong URL
        console.log(receivedReturnUrl.pathname); //<-- Correct URL
    return false;
  }

=> https://github.com/havard/node-openid/blob/master/openid.js#L938

I noticed that the assertionUrl.pathname did not return the same URL as set up in the SteamStrategy configuration.

Output: 8tbagas

So I went upwards the stack to check what URL is used during the assertion-verification-procedure.

passport-openid/strategy.js:

this._relyingParty.verifyAssertion(req.url, function(err, result) {

=> https://github.com/jaredhanson/passport-openid/blob/master/lib/passport-openid/strategy.js#L183

Interesting!

As you can see the module passport-openid uses req.url in order to verify the assertion. While this is perfectly fine, it conflicts with an express.Router:

See the statement in the Express API documentation:

[…] the “mounting” feature of app.use() will rewrite req.url to strip the mount point.

=> http://expressjs.com/de/api.html#req.originalUrl

Bingo!

That is why req.url will not return the full-path, eg. the mount point.

In order to keep the mount point we must use req.originalUrl instead of req.url

You can test this with a simple setup:

app.js:

var authRoutes = require('./routes/auth.js');
app.use('/auth', authRoutes );

/routes/auth.js:

var express = require('express');
var router = express.Router();

router.get('/test', function(req, res, next) {
    console.log(req.url)
    console.log(req.originalUrl)
    next();
});

/* Output:
/test
/auth/test
*/

router.get('/test/response', function(req, res, next) {
    console.log(req.url)
    console.log(req.originalUrl)
    next();
});

/* Output:
/test/response
/auth/test/response
*/

Conclusion:

Use req.originalUrl instead of req.url.

Let’s do this by adding a simple middleware in front of passport.authenticate:

function use_orginalurl(req, res, next){
    req.url = req.originalUrl;
    next();
}

router.get('/steam/response', use_orginalurl, 
passport.authenticate('steam', { failureRedirect: '/' }),
function(req, res){
    res.redirect('/');
});

//or simpler:

router.get('/steam/response', 
   function(req, res, next){
      req.url = req.originalUrl; next();
   }, passport.authenticate('steam', { failureRedirect: '/' }),
   function(req, res){
      res.redirect('/');
   });
13reactions
sezeryldzcommented, Jun 3, 2016

Just update all npm packages… it fixes the problem, the cause of problem is not about this repo… its about packages.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Steam OpenId invalid signature InternalOpenIDError
Seems like the authentication that was implemented by steam changed in April 2018 and they included HTTPS in the protocol.
Read more >
Developers - InternalOpenIDError: Failed to verify assertion -
I've read all issues about this topic and none of them help me to solve this problem. Somebody can help solve this issue?...
Read more >
Steam OAuth issues the last couple of days. | Screeps Forum
InternalOpenIDError: Failed to discover OP endpoint URL ... InternalOpenIDError: Failed to verify assertion
Read more >
Tsed-io/community
But my point being if it fails surely I should be able to catch the fail? Romain Lenzotti. @Romakita. Hum… no sure because...
Read more >
Steam (OpenID) authentication strategy for Passport.
verifyAssertion(req.url, function(err, result) { if (err) { return self.error(new InternalOpenIDError('Failed to verify assertion', ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

InternalOpenIDError: Failed to discover OP endpoint URL

Next page

[Question]How make it work with Handlebars?