New problem with LJ's OpenID Provider support (I think)

[jducoeur]

Howdy, all. I'm new to this community, although an old hand at programming and a fairly longtime LJ user. I *think* I've hit a new bug -- I toss it out here for advice on what to do with it. Keep in mind that I'm pretty new to OpenID, and trying to puzzle out a lot of confusing symptoms

Comments

[pauamma]

Guessing here, but it may have something to do with the introduction of OpenID 2.0 support.

[jducoeur]

Yeah, that's why I'm guessing that the problem started on the 23rd. I'm not certain about it -- CommYou doesn't require frequent re-logins, so I don't know when my last login attempt had been -- but I first encountered the issue on the 24th. So I suspect that the new 2.0 support has changed the output, even for apparently-1.0 interactions...

[tupshin]

We did upgrade our OpenID support from 1.1 to 2.0 on the 23rd, so it is exceedingly likely that we broke it then. We will look into it to see what we can find and get back to you shortly.

[jducoeur]

Cool -- thanks! It's not an immediate crisis (since I've worked around it for now), but it would be good to get it cleared up...

[mart]

LJ isn't actually declaring 2.0 support for any of its identifiers, so really your consumer should be doing 1.1-shaped requests and the op_endpoint argument shouldn't be required. If this isn't working, then this indicates that either OpenID4Java's RP or Net::OpenID::Server's OP (which LJ is running) is failing to support 1.1 correctly. If OpenID4Java is doing a 2.0 request, it'd be interesting if you could find out what's triggering it to do that. If you're doing a 1.1 request and getting back a response with op_endpoint then that's probably a bug at the OP end which I can look at fixing, as a maintainer of that library.

If LJ engineers want to make 2.0 work fully, they'll need to add openid2.provider to the HTML and the equivalent to the Yadis document, and probably fix the MIME type as you say. I'm happy to help if they have any questions about this.

[jducoeur]

If you're doing a 1.1 request and getting back a response with op_endpoint then that's probably a bug at the OP end which I can look at fixing, as a maintainer of that library.

That appears to be what's happening, yes. I can't say I'm 100% certain (like I said, I'm relatively new to both the OpenID protocol and the library), but at the app level it certainly thinks it's doing 1.1 (or, more precisely, pre-2.0), and it's definitely getting an empty op_endpoint back...

[mart]

I just checked in a fix which should prevent op_endpoint from being included in 1.1 responses. Not really sure how you'd test it, though, since LJ is of course still running the bugged version, and I'm guessing you've got better things to do than write a basic Perl OP to test this against.

OpenID4Java is also a bit wrong here too. It shouldn't be processing openid.op_endpoint in the 1.1 case. While I guess you could consider its presence to be an error if you want to be overly pedantic, I think it'd be better to just ignore this extra argument in the 1.1 case. Maybe you can relay that back to the OpenID4Java developers. :)

[jducoeur]

Yeah, that was kind of my feeling as well, but my relationship with the folks over at SXIP (who run OpenID4Java) is very arm's-length -- I'm just a random developer using their open-source library. But I'll mention it on their mailing list.

Thanks for the fix -- when it makes it to release (which I assume will happen eventually), I'll test it out and undo my hack...

[steve_mollmann]

Is this why when I've recently tried to use OpenID on blogger I get told:

Google Error
Bad Request
Your client has issued a malformed or illegal request.

?