1

I am using the JanRain library, and implementing code very similar to their server example (essentially creating my own openid provider). I have it working, but when I try to return an identity different from the one specified to the consumer, I get the following error:

Request was for http://example.com/, cannot reply with identity http://example.com/openid/33

In this case, the unique ID/URL is http://example.com/openid/33, while the one specified to the consumer is http://example.com.

I am using something like this:

$request  =  $server->decodeRequest();
$request->answer( true, null,  $id_url, $request->identity );

I've tried switching around $request->identity and $id_url. I only get the error in the state shown above, and the other state works, but doesn't seem to return the right thing to the consumer. I'm using the OP Simple Registration test found here: http://test-id.org/OP/Sreg.aspx, and when I switch them it works, but I can't find my $id_url anywhere in the logs.

My guess is that I need to be telling the consumer something earlier in the process about the ID differing from the one specified by the end-user, but so far I haven't hit on the right thing to try. I know this is possible, because this is how yahoo's OpenID works.

Any ideas or suggestions are welcome. Thanks!

livingtech
  • 3,570
  • 29
  • 42

1 Answers1

2

You are confusing the endpoint URL with the claimed identifier or the OP-local identifier.

The workflow is like this:

  • User enters a user supplied identifier
  • Consumer performs discovery on it and and then it will either have:
    • The provider endpoint URL/version. In this case, the claimed identifier/op-local identifier will be http://specs.openid.net/auth/2.0/identifier_select
    • The provider endpoint URL, the protocol version, the claimed identifier (the identifier the user supplied) and the OP-local identifier

So you should only provide a new identifier if you got http://specs.openid.net/auth/2.0/identifier_select.

Artefacto
  • 96,375
  • 17
  • 202
  • 225
  • So in my case, the endpoint is at `http://example.com/openid`, and I've been specifying that with ``. Should I also be putting `` on that page? I'll try that now. (And should I also replace that with the actual identifier if it is known? IE, if my user is logged in already?) – livingtech Aug 31 '10 at 16:15
  • @livin You can't do it that way. OpenID 2.0 spec, secion 7.3.3 "HTML-Based discovery is only usable for discovery of Claimed Identifiers.". You have to use XRDS. – Artefacto Aug 31 '10 at 16:23
  • @Artefacto Hmmm... I'm already writing out a header that points to a very simple (static) XRDS document with a `` tag, containing only `` and `` tags in it. If I add `http://specs.openid.net/auth/2.0/identifier_select` to that document, will that work? Is there any point (after discovery) where the XRDS is used and should be different? Thank you for all your help, btw. – livingtech Aug 31 '10 at 17:05
  • 1
    @livingtech: No, it won't work. You shouldn't specify LocalID at all, just use `http://specs.openid.net/auth/2.0/server` instead of `http://specs.openid.net/auth/2.0/signon` in the `` tag. See section 7.3.2.1 of the specification for details. – Mewp Aug 31 '10 at 17:16
  • Thanks @Mewp, it does seem like I was specifying the wrong thing there, but I'm STILL getting my original error. `Request was for http://example.com/, cannot reply with identity http://example.com/openid/33` – livingtech Aug 31 '10 at 19:03
  • @livingtech: are you sure that you have configured the library to use `identifier_select` ? (which I have no idea how to do with that library) – Mewp Aug 31 '10 at 19:15
  • @Mewp, I'm definitely NOT sure. It appears (looking through the library code), that I should not be getting this error if the request is specifying `http://specs.openid.net/auth/2.0/identifier_select`, so somehow the consumer request has `http://example.com` as the identifier specified in it. I guess the question becomes... is this my fault somehow? – livingtech Aug 31 '10 at 19:22
  • 1
    @livingtech: When an RP encounters an XRDS document with `http://specs.openid.net/auth/2.0/server`, it should send both `claimed_id` and `identity` set to `http://specs.openid.net/auth/2.0/identifier_select`. If it's set to `http://example.com`, then there may be a problem during discovery. Perhaps you haven't properly defined X-XRDS-Location, and the RP has fallen back to HTML discovery? – Mewp Aug 31 '10 at 19:51
  • This is useful info, thanks. Here is my XRDS doc: `https://specs.openid.net/auth/2.0/serverhttp://example.com/openid` (Sorry about the formatting...) Does it look okay to you? Another question: My base domain doesn't actually print the XRDS header. Only my endpoint does that (`http://example.com/openid`) ...is it too late at that point? (This could have been my problem all along.) – livingtech Aug 31 '10 at 20:31
  • Doesn't seem to have been my problem, since I tried just using my endpoint as the claimed-id, and still get the error. – livingtech Aug 31 '10 at 20:39
  • @livingtech: Yes, you have to include the header on the main site -- otherwise, how would the RP know where the XRDS document is? The document itself looks fine to me. Try removing the html tags so that html discovery can't be performed -- then you'll see if the XRDS document is found and read by the RP. – Mewp Aug 31 '10 at 21:11
  • accepting this answer even though my original issue is still unsolved. Thanks for all the help everyone. – livingtech Sep 08 '10 at 15:35