I have spent the last 3-4 hours now trying to get rid of that warning that Yahoo is presenting to the user. I think i have done everything right but i still get the message. I have tried so many stuff now that i don't really know what i tried and not tried.

I would be so greatfull if anyone want to take a look at http://alternativeto.net/login.aspx and try to login via yahoo and help me out.

Thanks!

I already have a xrds document located here: http://alternativeto.net/xrds.aspx

I think it should have the correct content-type and so on. I also have a meta tag both on the login.aspx page and the default document page (index.aspx).

I also set a header Response.AddHeader("X-XRDS-Location", "http://alternativeto.net/xrds.aspx");

But i still get the warning. It mest be something strange somewhere. Can i debug this in some way via firebug or something and see what Yahoo is looking for or something?

Hi Ola,

The problem is the X-XRDS-Location is set as 'http://dev.ohso.se/xrds.xml' which is inaccessible from the yahoo login servers. I checked with the following command 'curl -v http://alternativeto.net'

Gah, i uploaded some local debug code. Everything should be pointing the correct way now but it still don't work.

The issue is the status code of the url (it must be http status code 200), currently the request is a redirect.

curl -v http://www.alternativeto.net
* About to connect() to www.alternativeto.net port 80 (#0)
* Trying 72.32.147.162... connected
* Connected to www.alternativeto.net (72.32.147.162) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.6 (i386-apple-darwin10.0.0) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3
> Host: www.alternativeto.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Set-Cookie: X-Mapping-pfddgonl=A3596D31FEF096F6D024754A472DF1B8; path=/
< Content-Length: 148
< Date: Tue, 20 Oct 2009 22:28:58 GMT
< Location: http://alternativeto.net/
< Server: Microsoft-IIS/7.0
< X-Powered-By: ASP.NET
< Content-Type: text/html; charset=UTF-8
<
<head><title>Document Moved</title></head>
* Connection #0 to host www.alternativeto.net left intact
* Closing connection #0
<body><h1>Object Moved</h1>This document may be found <a HREF="http://alternativeto.net/">here</a></body>

If you want to use www.alternativeto.net instead of alternativeto.net, you should specify www.alternativeto.net in the xrds document.

For what I can see, the problem is that you don't send the right content type along with the xrds file. It's sent as "text/xml" but should be "application/xrds+xml".

Make sure you add this header:

Content-Type: application/xrds+xml

and all should be good.

--
Visit http://www.ilikealot.com and share YOUR passion

Hi Ola -

I took a look at your site, and I can't figure out why you're seeing the warning, since you are correctly publishing the X-XRDS-Location HTTP header under your realm. We'll take a look at at our sever logs and try to debug the problem on our side.

Thanks for your patience, I'll have a response for you tomorrow.

Thanks
Allen

Hi Ola,

We investigated further, and have found the root cause. Unfortunately, we won't be able to fix it on our side until early December.

When the Yahoo OP verifies your return_to endpoint, we make an HTTP request to the URL of the realm in your authentication request to find the XRDS document. In your case, we make an HTTP request to http://alternativeto.net/

In order to help protect the Yahoo OP from getting stuck when making outbound requests, we impose a size limit on the amount that we'll download before we abort the request. The sizelimit is currently 50KB, which is admittedly way too small, and we'll be bumping it up to at at at least 256KB in December. The size for http://alternativeto.net/ is approximately 70KB, which exceeds our sizelimit. The sizelimit is only on the actual HTML that's downloaded when the Yahoo OP fetches your realm, it does not include any javascript/images/css/flash that's downloaded as separate objects. Most sites that use OpenID generally have very lightweight realms, so this is usually not a problem, although a few others have ran into this.

I do agree that there's room for improvement on the Yahoo OP, and we'll fix this the next time the Yahoo OP has its regularly scheduled maintenance in December.

In the meantime here's what you can do:

1) Try to shrink htttp://alternativeto.net, by breaking out some of the JS/CSS into separate files
2) Change your realm to http://alternativeto.net/login.aspx and add the following to the <head> section of the doc - as you did on your home page:
<meta http-equiv="X-XRDS-Location" content="http://alternativeto.net/xrds.xml" />

Hope that helps, thanks forusing OpenID, and thank you for your patience in debugging this.

Allen