Last step of OpenID verification, always returned "is_valid:false"

Question

Problem I'm trying to get LightOpenID to work with a Google Apps Enterprise account. I was getting "No servers found!" when I called validate(). I mocked up a quick page to test each step of LightOpenID and I've gotten a little farther, now always getting "is_valid:false".

What I've Done So Far In working through validate() and discover() line by line, I noticed that certain openid->data[] (think "openid_*") values were not making it into the final params array (think "openid.*") so in my example below I coded those in explicitly. I can't tell if I'm always getting is_valid:false because I'm missing an openid.something value or if because OpenID says the Provider is only supposed to validate each nonce once or something else.

How You Can Help Me If you've gotten this far, I could use one of two things. Either point out mistake(s) in my sample code or give me a process you've used to test this sort of thing. Do I really have to logout/back in each time I want to test the validation/verification step? Are there any tools or processes that speed up this kind of tinkering?

EXAMPLE CODE I replaced my domain with example.com. Let me know if you want any output. Thanks, Eric B.

try {
    $openid = new LightOpenID;
    if(!$openid->mode) {
        if(isset($_GET['login'])) {
            //$openid->identity = 'https://www.google.com/accounts/o8/id';
            $openid->identity = 'https://www.google.com/accounts/o8/site-xrds?hd=example.com';
            header('Location: ' . $openid->authUrl());
        }
?>
<form action="?login" method="post">
    <button>Login with Google</button>
</form>
<?php
    } elseif($openid->mode == 'cancel') {
        echo 'User has canceled authentication!';
    } else {
$tClaimedID = 'https://www.google.com/a/example.com/o8/ud?be=o8';
$openid->data['openid_claimed_id'] = $tClaimedID;

foreach (explode(',',$openid->data['openid_signed']) as $item) {
  $value = $openid->data['openid_'.str_replace('.','_',$item)];
  $params['openid.'.$item] = get_magic_quotes_gpc()?stripslashes($value):$value;
}
$params['openid.mode'] = 'check_authentication';
$params['openid.ns'] = $openid->data['openid_ns'];
$params['openid.signed'] = $openid->data['openid_signed'];
$params['openid.sig'] = $openid->data['openid_sig'];

$tBody2 = $openid->request($tClaimedID,'POST',$params);
echo "\n\n tBody2: ".$tBody2." \n\n";

    }
} catch(ErrorException $e) {
    echo $e->getMessage();
}

Answer 1

LightOpenID is looking for /openid on your server in search of an XRDS document.

Add the following in whatever responds to your /openid document:

<?php
  header('X-XRDS-Location: https://www.google.com/accounts/o8/site-xrds?hd=example.com');
?>

The reason it that after you try to log in, google returns an identity. This identity must be discovered, to see if it points at the valid openid provider (so that it's not spoofing them). Since Gogole returns identities in your domain, you have to add an information that Google is authorized to issue them. The information must be at /openid, since the identities are in the form: http://example.com/openid?[...]. Otherwise, LightOpenID opens that url, sees nothing pointing at any server, and returns "No servers found!".

Answer 2

Hi I am facing same problem and solve it :), you should need to disable safe mode : off, that's working for me :)