[Plugin: Mozilla Persona] Verification failed after upgrade of the BrowserID plugin

Hi,
I have had the same problem. You should put https://login.persona.org/verify as your verification server in the plugin configuration.
It seems that there is a redirection which makes the verification fail.

(Also, I have written a .po file for French, if anyone is interested)

Would you help this idiot to find the place where the configuration should go? wp-config.php? Something like

if ( !defined(‘browserid_vserver’) )
define(‘browserid_vserver’, ‘https://login.persona.org/verify’);

???

Sorry, I am an idiot … got it. Configuration is not in Plugins tab, but in (surprise, surprise!) Configuration one.

Version 0.31 should fix this problem (and more ??

Also, I have written a .po file for French, if anyone is interested

Please contact me here.

Notice: Undefined index: browserid_sitename in /usr/share/wordpress/wp-content/plugins/browserid/browserid.php on line 482 Notice: Undefined index: browserid_sitelogo in /usr/share/wordpress/wp-content/plugins/browserid/browserid.php on line 493

Plugin reactivated successfully.

??? It seems to work fine, just that Notice makes me wonder.

The just released version 0.32 will fix these notices.
Thanks for reporting!

Actually, that URL is wrong. It currently works but that’s a bug that we will be fixing soon.

The correct URL for the verifier is:

https://verifier.login.persona.org/verify

@francois Marier

It would be smarter to inform me earlier of these kind of changes, so I can fix things in time. Please realize that I am not always around to do last minute fixes.

Furthermore I cannot fix this, because the mentioned URL reports ‘login.persona.org’ as issuer. There is a security check in place that verifies if the server URL (verifier.login.persona.org) equals to the reported issuer (login.persona.org). I could remove this check, but IMHO it is safer to leave it there.

@marcel

Sorry for the late notice. We now have a very low traffic mailing list that you could join to get notified of changes that might impact your plugin:

https://mail.mozilla.org/listinfo/persona-notices

I’ve looked at your code and here is my proposed fix:

https://github.com/fmarier/wordpress-browserid/commit/74459e0c34ffb76f8fa2ab6d80f9684330c2f288

It uses the right hostname for the verifier while still maintaining the security check you have. It’s worth noting that the certificate issuer is no longer the same as the verifier.

The problem with your fix is that you are assuming that the issuer is always ‘login.persona.org’. What if somebody uses another verification server?

Actually, you’re right, my fix is wrong!

However, it’s not exactly what you said. The server that issues certificates actually has nothing to do with the server that verifies these certificates.

So while an admin who installs your plugin can choose to switch to a different verification server, they cannot choose to use a different certificate issuer.

The certificate issuer is determined by the email address that the end user uses to log in. Currently, almost all of the emails are using what we call the “fallback identity provider” (login.persona.org) to get a certificate. However, if an email is from a domain which runs a primary identity provider, then the issuer will be that domain.

You can try it out yourself:

1. create an “email” account on https://eyedee.me
2. try logging into your wordpress site with [email protected]

This will fail because the issuer of your certificate will be “eyedee.me”, not “login.persona.org”

I have added a second patch to my repository to fix this:

https://github.com/fmarier/wordpress-browserid/commit/6bab1382cd56a02c6aa64bb1f6fb170db8bd744f

Okay, thanks for the explanation/demonstration of the issuer field.

I have just released version 0.33 that updates the verifier URL and disables the issuer check.