Back to OpenID General Discussion Forum
0

Direct verification fails

Hi All

I'm trying to implement OpenID sign-on on my site using Yahoo as an OP. I must admit, I'm not really all that well up on the whole OpenID process but so far I've managed to struggle through problems with realm verification and nonce verification etc to an almost complete process. The problem I've hit now is towards the end of the process, as my code tries to verify the OpenID identifier URL that was returned, it finds no existing association at our end so tries direct verification with Yahoo but this also fails. I'm using the same process using Google as an OP and the direct verification step succeeds so I'm wondering if Yahoo supports direct verification and if so, does anyone know under what circumstances direct verification will/can fail?

by
Report Abuse
3 Replies
  • Hi,

    Yahoo! OP does support direct verification. Can you please post
    details about the HTTP requests and responses you got so we
    can help check it from our side?

    An independent blog provides some troubleshooting tips which
    might be helpful for you:
    http://eddevelop.blogspot.com/2008/11/open...penid4java.html

    Thanks,
    Yu Wang
    Yahoo! Membership


    QUOTE (the_farwall @ Jan 19 2009, 02:22 AM) <{POST_SNAPBACK}>
    Hi All

    I'm trying to implement OpenID sign-on on my site using Yahoo as an OP. I must admit, I'm not really all that well up on the whole OpenID process but so far I've managed to struggle through problems with realm verification and nonce verification etc to an almost complete process. The problem I've hit now is towards the end of the process, as my code tries to verify the OpenID identifier URL that was returned, it finds no existing association at our end so tries direct verification with Yahoo but this also fails. I'm using the same process using Google as an OP and the direct verification step succeeds so I'm wondering if Yahoo supports direct verification and if so, does anyone know under what circumstances direct verification will/can fail?
    Report Abuse
    0
  • Hi
    Thanks for the response, I don't have an easy way of capturing the exact HTTP messages and my boss doesn't seem happy with the idea of me spending time to set that up and help debug this (though still wants me to fix it, go figure :s). Hopefully I'll get chance to eventually but for now here is the debug that the openid4java library that I'm using logs, I don't know if it's of any use but it's all I have at the moment.

    - Starting discovery on URL identifier: http://yahoo.com/
    - Yadis discovery succeeded on http://yahoo.com/
    - Using Yadis normalized URL as claimedID: http://www.yahoo.com/
    - Discovered 1 OpenID endpoints.
    - Trying to associate with https://open.login.yahooapis.com/openid/op/auth attempts left: 4
    - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
    - Association attempt failed.
    - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
    - Associated with https://open.login.yahooapis.com/openid/op/auth handle: wbMOm5dy6dlF_HbK5IdSTAscp7c8DFzFORHzcDXq4GboJM4kyJCqUmv9hI0YuHSouWPGDCfAOo5R7w0A
    YbSJQK1hmBTvIHtTWOdIpP70FAoOhORMJxUtDboU8Vnz6RMV
    - Trying to associate with https://open.login.yahooapis.com/openid/op/auth attempts left: 4
    - Found an existing association.
    - Creating authentication request for OP-endpoint: https://open.login.yahooapis.com/openid/op/auth claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
    - Return URL: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y matches realm: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y
    - Yadis discovery succeeded on http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y
    - Return URL: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y matches realm: http://myserver.com/testO/
    - Return URL: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y matched discovered RP endpoint: http://myserver.com/testO/
    - Return URL: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y matches realm: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y
    - Yadis discovery succeeded on http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y
    - Return URL: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y matches realm: http://myserver.com/testO/
    - Return URL: http://myserver.com/testO/servlet/ep.blank...mp;openIdResp=y matched discovered RP endpoint: http://myserver.com/testO/
    - Verifying authentication response...
    - Received positive auth response.
    - Starting discovery on URL identifier: https://me.yahoo.com/a/Cql4tXgUpfLuruBICxEp...tgscnHW9Fo.1w--
    - Creating transaction G211079
    - Yadis discovery succeeded on https://me.yahoo.com/a/Cql4tXgUpfLuruBICxEp...tgscnHW9Fo.1w--
    - Using Yadis normalized URL as claimedID: https://me.yahoo.com/a/Cql4tXgUpfLuruBICxEp...tgscnHW9Fo.1w--
    - Discovered 1 OpenID endpoints.
    - No association found, contacting the OP for direct verification...
    - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
    - Verification failed for: null reason: Direct signature verification failed.

    By the way, the server isn't really called "myserver.com", it's on a publicly accessable web address as it should be, I've just edit the logs to remove the business name and save myself some embarrassment.
    Report Abuse
    0
  • Hi,

    My attempt to use Yahoo openid is failing at the moment. It was working couple of days earlier.

    The discovery URL provided is http://www.yahoo.com/

    See the log below:


    - Starting discovery on URL identifier: http://www.yahoo.com/
    - Yadis discovery succeeded on http://www.yahoo.com/
    - Using Yadis normalized URL as claimedID: http://www.yahoo.com/
    - Ignoring invalid OP endpoint URL in XRDS file: <?xml version="1.0" encoding="UTF-8"?>
    <URI/>

    java.lang.IllegalArgumentException: URI is not absolute
    at java.net.URI.toURL(URI.java:1080)
    at org.openid4java.discovery.Discovery.extractDiscoveryInformation(Discovery.java:2
    56)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:146)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:115)
    at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:540)
    at com.hravni.openid.servlet.ConsumerRedirectServlet.authRequest(ConsumerRedirectSe
    rvlet.java:83)
    at com.hravni.openid.servlet.ConsumerRedirectServlet.generateLoginForm(ConsumerRedi
    rectServlet.java:66)
    at com.hravni.openid.servlet.ConsumerRedirectServlet.doPost(ConsumerRedirectServlet
    .java:59)
    at com.hravni.openid.servlet.ConsumerRedirectServlet.doGet(ConsumerRedirectServlet.
    java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt
    erChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.
    java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:2
    33)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:1
    91)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109
    )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Pr
    otocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:595)
    - No OpenID service types found in the XRDS.
    - No OpenID service endpoints discovered through Yadis; attempting HTML discovery...
    - HTML discovery completed on: http://www.yahoo.com/
    - Discovered 0 OpenID endpoints.
    - Association attempt, but no discovey endpoints provided.



    Watching HTTP headers, I get the URL for XRDS as:

    X-XRDS-Location: http://open.logn.yahooapis.com/openid20/www.yahoo.com/xrds


    And when I download the Yahoo XRDS document using browser, I see the following content:

    <?xml version="1.0" encoding="UTF-8"?>
    <xrds:XRDS
    xmlns:xrds="xri://$xrds"
    xmlns:openid="http://openid.net/xmlns/1.0"
    xmlns="xri://$xrd*($v*2.0)">
    <XRD>
    <Service priority="0">
    <Type>http://specs.openid.net/auth/2.0/server</Type>
    <Type>http://specs.openid.net/extensions/pape/1.0</Type>
    <Type>http://openid.net/sreg/1.0</Type>
    <Type>http://openid.net/extensions/sreg/1.1</Type>
    <URI>https://open.login.yahooapis.com/openid/op/auth</URI>
    </Service>
    </XRD>
    </xrds:XRDS>



    I am at a loss to understand what has changed or what I am doing wrong.

    Can anyone throw some light on this?

    Regards,
    Harsha
    Report Abuse
    0
Ask a Question

Recent Posts

in OpenID General Discussion