InternalOpenIDError: Failed to verify assertion

[dsluijk]

Hello,

I've been running in this issue all day, and I still don't know totally how to fix it.

I've got this error with this module, both on node 4.4 and node 6.0

InternalOpenIDError: Failed to verify assertion
    at D:\Projects\csgo\node_modules\passport-steam\node_modules\passport-openid-node6support\lib\passport-openid\strate
gy.js:184:36
    at Object.openid.verifyAssertion (D:\Projects\csgo\node_modules\passport-steam\node_modules\passport-openid-node6sup
port\node_modules\openid\openid.js:916:14)
    at openid.RelyingParty.verifyAssertion (D:\Projects\csgo\node_modules\passport-steam\node_modules\passport-openid-no
de6support\node_modules\openid\openid.js:65:10)

So naturally I digged in the source code, and changed this line:

  , OpenIDStrategy = require('passport-openid-node6support').Strategy

to:

  , OpenIDStrategy = require('passport-openid').Strategy

This resolved the issue on node 4.4, but got an error on node 6.0 (that's why that modules is created i guess):

error: An uncaught exception has taken place! TypeError: params.hasOwnProperty is not a function
    at _checkSignatureUsingProvider (D:\Projects\csgo\node_modules\passport-openid\node_modules\openid\openid.js:1148:15
)
    at _checkSignature (D:\Projects\csgo\node_modules\passport-openid\node_modules\openid\openid.js:1083:5)
    at _verifyAssertionAgainstProviders (D:\Projects\csgo\node_modules\passport-openid\node_modules\openid\openid.js:104
7:12)

Anyone has fixed that first issue? There where some discussions with the same issue, but nothing fixed that for me (relevant: #27 ). These are part of my code:

passport.use(new SteamStrategy({
        returnURL: 'http://**snap**/api/auth/return',
        realm: 'http://**snap**',
        apiKey: config.get('apiKey'),
        stateless: true
    },
    function(identifier, profile, done) {
        console.log(identifier); //Logging output
        console.log(profile);
        profile.identifier = identifier;
        return done(null, profile);
    }
));

router.route('/')
    .get(passport.authenticate('steam'));

router.route('/return')
    .get(passport.authenticate('steam', { failureRedirect: '/' }),
        function (req, res) {
            console.log(req.user);
            res.redirect('/');
        }
    );

[jennyl]

I got the params.hasOwnProperty is not a function error with node 6.x on aws. Otherwise, works perfectly on local machine (node 4.4.3).

Also, @atlasdev did you include passport.serializeUser(... and passport.deserializeUser(... functions in your code?

[dsluijk]

@jennyl Yes I have, but really basic:

passport.serializeUser(function(user, done) {
    done(null, user);
});

passport.deserializeUser(function(obj, done) {
    done(null, obj);
});

[sezeryldz]

Just update all npm packages.. it fixes the problem, the cause of problem is not about this repo.. its about packages.

[michaelwitk]

Any solutions? I'm stuck. None of the node openid packages work reliably,...

[tobbbles]

npm update should do the trick in line with @Secretmars.

I tested all examples on the latest version before publishing. And this bug is producible, at least not reliably.

[michaelwitk]

Done so, even went into the packages to run this command to ensure all packages are up-to-date. Still encountering this error 90% of the time.

npm ls (ignore openid being inside passport-steam, drag n drop mistake which doesnt effect anything anyways)

Anything you can spot being outdated?

edit:
deleted all packages and only installed the one I'm using as of now (nmp ls) will report back within 24h if error persists.
edit2:
error persists, no idea what to do... error

[tobbbles]

@notJackson are you using NPM3?

[sezeryldz]

it works without problems on my project, no idea what is wrong with yours..

[tobbbles]

Update to NPM3, that should fix the issue

On Fri, 3 Jun 2016, 23:05 notJackson, notifications@github.com wrote:

npm version
{ npm: '2.15.1',
ares: '1.10.1-DEV',
http_parser: '2.5.2',
icu: '56.1',
modules: '46',
node: '4.4.3',
openssl: '1.0.2g',
uv: '1.8.0',
v8: '4.5.103.35',
zlib: '1.2.8' }

I have now enabled profile: true (rather not false) and it works ever
since. I'll keep you updated if something happens.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#37 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AJoYe3fIVNPft8v0ucoRCNabdGmeySHKks5qIKUfgaJpZM4Il-Mq
.

[michaelwitk]

Thanks for the quick response, if it happens to bug again I will upgrade within a heartbeat.
Thank you so much. (If its that what you referred at earlier (and also Secretmars) I feel stupid.)

[tobbbles]

Going to leave this issue open for a few more days, if there's no more bug-like activity I'll close it.

[michaelwitk]

script
npm ls
npm ls --depth=0
npm version

Still encountering the same error :( The thing is, it sometimes works, but mostly doesnt. I'm frustrated. (Ran npm update in every directory possible at this point btw)

[mprey]

experiencing the same error.

npm version: 3.9.3
node version: 6.2.1
"passport": "^0.3.2",
"passport-steam": "^1.0.2",

[michaelwitk]

"curl http://steamcommunity.com/openid" ~4/10 requests are not succesful.
(In the periods where logging in is not possible, lucky random successful logins do not occur from my experience.)
I have yet to test the average responses when logging in does work.

Stationed on digital ocean. @mprey Where are you hosting your files?

[mprey]

@notJackson hosted my files on my local machine and a deployed heroku app with different API keys and experienced the same error on both machines.

I am able to retrieve the XML file on my local machine with
curl http://steamcommunity.com/openid

[tobbbles]

@mprey @notJackson

Couple you please follow advice in #31 (comment) and see if that helps, I've got a feeling this is a similar issue.

[mprey]

@mnzt flushing DNS came out with the same result.

I have tried my own source code and welp's in this issue hosted on my own local machine and deployed as a heroku app. I have also tried signing in with two different machines on the heroku app with no avail. I have a feeling there is a version clashing going on, so I am going to test different releases for the package to see what comes.

[mprey]

after many, many hours of debugging I am pretty sure I found the error.

in the signon example provided in the passport-steam source, the example routed the authentication requests using

app.get('/auth/steam',
passport.authenticate('steam', { failureRedirect: '/' }),
function(req, res) {
res.redirect('/');
});

however, in my app, I was using express's built in Router in order to route authentication requests like so:

var express = require('express');
var router = express.Router();
var passport = require('passport');

router.get('/steam',
   passport.authenticate('steam', { failureRedirect: '/' }),
  function(req, res) {
    res.redirect('/');
 });


router.get('/steam/return',
  passport.authenticate('steam', { failureRedirect: '/' }),
  function(req, res) {
    res.redirect('/');
  });

module.exports = router;

when I changed back to using the native app provided by calling express(), passport-steam worked flawlessly and after further testing by switching between the two routing techniques supports my conclusion.

any insight on why this may happen would be great since I am fairly new to Node.

[tobbbles]

@mprey Thanks for taking the time to debug. I, and I'm sure many others, have used passport via an express router with no issues, although it's interesting to see you're having this issue.

[michaelwitk]

I am now running the example provided on my server and also experiencing this error. I will try another service and report back.

[praneeth101]

I'm having the same issue.
@mprey I noticed the exact same thing. It is having problems when used with Router()

[praneeth101]

I was able to fix this for myself. I used express-generator for my project. I have a file named auth.js in the /routes directory that handles the authentication. I export the router variable just like @mprey does. And in the main app.js file I have this:

var auth = require('./routes/auth');
app.use('/auth', auth);

So basically /auth/steam becomes /auth/auth/steam on the site. When I was doing it like this, I was experiencing the Failed to verify assertion error. Now, I'm using the auth variable on the website root, like so:

var auth = require('./routes/auth');
app.use('/', auth);

Now everything works fine. And all of the working examples I've seen have it on /
Might be a bug. I'm fairly new to node, please correct me if there is any mistake in my analogy.

[dsluijk]

Can confirm it happens with Router, I use it as well. I will soon (tomorrow, maybe the day after) look into the issue again with a fresh install of everything.

[kerrop33]

I try to run the example signon with steam API(https://steamcommunity.com/dev/apikey) domain name http://localhost:3000/. I get an error every time steam API return data.

F:\Web\steam\steam3\node_modules\openid\openid.js:1148
if(params.hasOwnProperty(key) && key != 'openid.mode')
^

TypeError: params.hasOwnProperty is not a function
at _checkSignatureUsingProvider (F:\Web\steam\steam3\node_modules\openid\openid.js:1148:15)
at _checkSignature (F:\Web\steam\steam3\node_modules\openid\openid.js:1083:5)
at _verifyAssertionAgainstProviders (F:\Web\steam\steam3\node_modules\openid\openid.js:1047:12)
at F:\Web\steam\steam3\node_modules\openid\openid.js:1012:7
at F:\Web\steam\steam3\node_modules\openid\openid.js:545:7
at F:\Web\steam\steam3\node_modules\openid\openid.js:411:16
at Request._callback (F:\Web\steam\steam3\node_modules\openid\openid.js:174:7)
at Request.self.callback (F:\Web\steam\steam3\node_modules\request\request.js:200:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:191:7)

node: v6.1.0

npm: 3.8.6

package:

{
"name": "passport-steam-examples-signon",
"version": "0.0.0",
"dependencies": {
"express": ">= 0.0.0",
"ejs": ">= 0.0.0",
"passport": ">= 0.0.0",
"passport-steam": "^0.1.6",
"express-session": "^1.12.1",
"pkginfo": "*",
"passport-openid-node6support": "^1.0.0",
"steam-web": "~0.2.4"
}
}

I hope someone can help. Thanks in advance

[tobbbles]

@kerrop33 use node 4.4.5.

I need to see if openid has a working version for node 6

[mavrick]

Currently getting similar issue

{ [InternalOpenIDError: Failed to verify assertion]
  name: 'InternalOpenIDError',
  message: 'Failed to verify assertion',
  openidError: { message: 'Invalid return URL' } }

node 5.6.0

npm 3.6.0

npm version

{ npm: '3.6.0',
  ares: '1.10.1-DEV',
  http_parser: '2.6.1',
  icu: '56.1',
  modules: '47',
  node: '5.6.0',
  openssl: '1.0.2f',
  uv: '1.8.0',
  v8: '4.6.85.31',
  zlib: '1.2.8' }

passport.use('steam', new SteamStrategy(
    {
        returnURL: 'https://dfrag.tv/auth/steam/return',
        realm: 'https://dfrag.tv/',
        apiKey: config.get('steamKey'),
        passReqToCallback: true
    },

    function(req, identifier, profile, done) 
    {
       done(null, profile);
    }
));

[tobbbles]

@mavrick Can you see if it works with node 4.4.5? If so, then there may be an underlying issue.

[demipixel]

Likely doesn't help that I was still using passport-steam v0.1.6. Thanks.

[WhiteMinds]

i want to custom dynamic returnUrl.
such as: xx.com/auth/steam?reUrl=http://xx.com/test.html
new SteamStrategy returnUrl is fixed
what i got to do?

[scholtzm]

You could just redirect the user after reaching the return URL.

[serge1peshcoff]

Can confirm this on node v6, running example from this repository fails with this error. On node v4, everything works fine though.

[KronKraken-zz]

Anyone found an actual fix for this yet?

[ghost]

Any fix for this? I've tried everything mentioned above but I'm still getting InternalOpenIDError: Failed to verify assertion.

• passport.serializeUser() and passport.deserializeUser() are included
• Update to NPM3
• I am able to retrieve the XML file on my local machine with curl http://steamcommunity.com/openid
• With and without express's built in Router for route authentication requests
• node version 4.45 and node 6
  @praneeth101 could you pls provide a snippets for your solution mentioned in #37 comment

[scholtzm]

@Ava-a Does the passport-steam example work for you? Are you ever able to log in?

The issue itself has nothing to do with passport-steam though. Whenever the assertion fails, passport-openid throws an error.

It's very easy to manually trigger this error too.

[mrandri19]

Provably it's not your case but if the error is invalid or replied nonce check your system clock.
In my case it was +2 hours and it wouldn't work

[ghost]

@scholtzm I'm getting this response when I run the passport-openid test:

:1 - - [30/Jun/2016:12:43:15 +0000] "POST /auth/openid HTTP/1.1" 302 56 "http://localhost:3000/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
::1 - - [30/Jun/2016:12:43:15 +0000] "GET /login HTTP/1.1" 304 - "http://localhost:3000/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"

I'm gonna use steam-login for now.

[Burnett01]

Before I start with the explanation of this issue, here the main facts:

• This is not an issue of passport-steam
• This is not an issue of node-openid
• This is not an issue of passport-openid
• This issue only appears when an express.js router is used

---

Let us start with the following setup:

app.js:

var authRoutes = require('./routes/auth.js');
app.use('/auth', authRoutes );

/routes/auth.js:

var express = require('express');
var router = express.Router();

router.get('/steam',
   passport.authenticate('steam', { failureRedirect: '/' }),
   function(req, res) {
      res.redirect('/');
   });

router.get('/steam/response',
   passport.authenticate('steam', { failureRedirect: '/' }),
   function(req, res) {
      res.redirect('/');
   });

module.exports = router;

SteamStrategy configuration:

new SteamStrategy({
    returnURL: 'http://localhost:3000/auth/steam/response',
    realm: 'http://localhost:3000/',
    apiKey: 'Your API key here'
}

Now try to authenticate and you will receive the error "Failed to verify assertion".

The error-message "Failed to verify assertion" is just a header for a more specific error.
To find out what kind of error is returned, we need to inspect the attached openidError object.

Simply pass a callback to the passport.authenticate method:

router.get('/steam/response',
   passport.authenticate('steam', function(err){
      console.log(err); // Returns the openidError object
   });

The route above will not continue since we didn't specify any res.send nor next(). This not important cus we only want to receive the error object in our console.

Once ran, the following error was returned:

openidError: { message: 'Invalid return URL' } }

As you can see, the return URL appeard to be invalid.
So I checked the return URL with my SteamStrategy configuration, but nothing seemed wrong.

node-openid/openid.js
Going deeper by following the error-stack, I found out that in the node-openid module, the pathname of the assertionUrl did not match the received pathname.

if (originalReturnUrl.protocol !== receivedReturnUrl.protocol || // Verify scheme against original return URL
      originalReturnUrl.host !== receivedReturnUrl.host || // Verify authority against original return URL
      assertionUrl.pathname !== receivedReturnUrl.pathname) { // Verify path against current request URL
        console.log(assertionUrl.pathname); //<-- Wrong URL
        console.log(receivedReturnUrl.pathname); //<-- Correct URL
    return false;
  }

=> https://github.com/havard/node-openid/blob/master/openid.js#L938

I noticed that the assertionUrl.pathname did not return the same URL as set up in the SteamStrategy configuration.

Output:

So I went upwards the stack to check what URL is used during the assertion-verification-procedure.

passport-openid/strategy.js:

this._relyingParty.verifyAssertion(req.url, function(err, result) {

=> https://github.com/jaredhanson/passport-openid/blob/master/lib/passport-openid/strategy.js#L183

Interesting!

As you can see the module passport-openid uses req.url in order to verify the assertion.
While this is perfectly fine, it conflicts with an express.Router:

See the statement in the Express API documentation:

[...] the “mounting” feature of app.use() will rewrite req.url to strip the mount point.

=> http://expressjs.com/de/api.html#req.originalUrl

Bingo!

That is why req.url will not return the full-path, eg. the mount point.

In order to keep the mount point we must use req.originalUrl instead of req.url

You can test this with a simple setup:

app.js:

var authRoutes = require('./routes/auth.js');
app.use('/auth', authRoutes );

/routes/auth.js:

var express = require('express');
var router = express.Router();

router.get('/test', function(req, res, next) {
    console.log(req.url)
    console.log(req.originalUrl)
    next();
});

/* Output:
/test
/auth/test
*/

router.get('/test/response', function(req, res, next) {
    console.log(req.url)
    console.log(req.originalUrl)
    next();
});

/* Output:
/test/response
/auth/test/response
*/

Conclusion:

Use req.originalUrl instead of req.url.

Let's do this by adding a simple middleware in front of passport.authenticate:

function use_orginalurl(req, res, next){
    req.url = req.originalUrl;
    next();
}

router.get('/steam/response', use_orginalurl, 
passport.authenticate('steam', { failureRedirect: '/' }),
function(req, res){
    res.redirect('/');
});

//or simpler:

router.get('/steam/response', 
   function(req, res, next){
      req.url = req.originalUrl; next();
   }, passport.authenticate('steam', { failureRedirect: '/' }),
   function(req, res){
      res.redirect('/');
   });

[andrewda]

@Burnett01 Beautifully explained. I haven't been having this issue, but that should certainly clear everything up for those who are having the issue.

[beuted]

@Burnett01 thanks a lot I had the exact same issue, nice workaround. This should be added to the example ! https://github.com/liamcurry/passport-steam/blob/master/examples/signon/app.js

[welps]

@Burnett01 Thanks so much for your help! I've taken @beuted's suggestion and created a separate example that demonstrates the workaround you've listed.

I've added you to the contributors list for your debugging work! Thanks!

[artch]

@Burnett01 thanks for this! I stuck with this issue as well. The only question is, why did it happen only from time to time, if it is some kind of persistent misconfiguration?

[scholtzm]

As per my older comment here, you can easily trigger this manually by providing invalid OpenID data. The data also expires, so some users might trigger this accidentally even if they don't tinker with the data at all, just by going AFK while logging in.

[feed4rz]

For me this error was fired, when you get incorrect response from Steam itself. It happens mostly when you have sent too many requests recently, so SteamAPI returns you "Access denied..." page.

[busheezy]

I got an alert for this so I guess I'll post what it ended up being for me. My VPS provider switched me to a new box an in the process it killed my time. The ntp configuration was broken because they block most ip's and for some reason my ntp server config was lost. I spent a good few days trying to figure out the problem and it ended up being the wrong time on my VPS.

[Maarethyu]

@scholtzm
I am experiencing this error but only when invalid data is passed, for example when the data is expired, it's used twice or even when steam is in maintenance.
Thing is it just throw a stacktrace to the logs AND to the user.

Why don't this use the failureRedirect option instead of throwing ?
Is there any way I can prevent this ?

[scholtzm]

It's not throwing, the error should be either passed to callback or next error handler: https://github.com/jaredhanson/passport/blob/ad5fe1dfaeb79f81ba21f99e6025daa0dec87e6e/lib/middleware/authenticate.js#L351

[Maarethyu]

@scholtzm Could you write a quick example on how to catch that error ? I can't figure it out myself sadly.

[scholtzm]

Personally, I don't use passport at all since all I need is Steam's OpenID. I'd have to setup everything from scratch.

However, the error should be passed all the way to your express error handler: https://expressjs.com/en/guide/error-handling.html

Another options seems to be to pass callback to authenticate middleware:

passport.authenticate('steam', { failureRedirect: '/login' }, (err, ...otherArgs) => {
  // do something with err
});

[Maarethyu]

So I tried @scholtzm example to catch errors, but this is just the passport callback, if you use it, it will bypass passport-steam.
I just used another middleware to catch the passport errors after it

app.get('/auth/return',
  passport.authenticate('steam', {failureRedirect: '/'}),
  (err, req, res, next) => {
    if (err) console.error(err);
    next();
  }, (req, res) => {
    res.redirect('/');
});

[haziqfiqri]

I'm having issues with when an existence user trying to login back, non existence user login works alright, tried @Burnett01 solution but doesnt work tho, still get the error. How can I solve this, Can someone kindly help?

node version: v10.16.0
passport: 0.4.0
passport-steam: 1.0.11

InternalOpenIDError: Failed to verify assertion

/routes/auth.js

function use_orginalurl(req, res, next){
    req.url = req.originalUrl;
    next();
}

router.get('/steam', use_orginalurl,
    passport.authenticate('steam', { failureRedirect: '/' }),
        function(req, res) {
        res.redirect('/');
});

router.get('/steam/return',
    function(req, res, next) {
        req.url = req.originalUrl;
        next();
    }, 
    passport.authenticate('steam', { failureRedirect: '/' }),
        function(req, res) {
        res.redirect('/');
});

app.js

const authRoutes = require('./routes/auth');
passport.use(new SteamStrategy({
    returnURL: 'http://localhost:3000/auth/steam/return',
    realm: 'http://localhost:3000/',
    apiKey: 'XXXXXXXXXXXXXXXXXXXXXXX'
    }, 
    function (identifier, profile, done){
        var steamId = identifier.match(/\d+$/)[0];
        var profileURL = 'http://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=' + 'XXXXXXXXXXXXXXXXXXXXXXX' + '&steamids=' + steamId;

        User.findOne({ steamId: steamId}, function(err, user){
            if(user){
                User.updateOne({ steamId }, {
                    $set: profile
                }, {
                    upsert: true
                }, (err) => {
                    if (err) {
                        console.log(err);
                    }
                });
            }
            else{
                request(profileURL, function (error, response, body){
                    if (!error && response.statusCode === 200) {
                        var data = JSON.parse(body);
                        var profile = data.response.players[0];

                        var user = new User();
                        user.username = profile.personaname;
                        user.profileURL = profile.profileurl;
                        user.profileImageURL = profile.avatarfull;
                        user.steamId = steamId;
                    
                        user.save(function(err){
                            done(err, user);
                        });
                    }
                    else{
                        done(err, null);
                    }
                });
            }
        });
}));
app.use('/auth', authRoutes);

[qexyorg]

Hope this help someone

List of errors returning "Failed to verify assertion":
https://i.imgur.com/TGiBv2C.png

Take a look to the five minutes limit and set the correct time on the server

[Mirasaki]

This issue has now resurfaced: #129