tags:

views:

662

answers:

2

I'm writing a Relying Party, and use the Google provider. Yadis leads me to https://www.google.com/accounts/o8/ud, I create an association, and redirect the user's browser to that URL (HTTP 307), and fill in the following query parameters:

  • openid.ns: http://specs.openid.net/auth/2.0
  • openid.mode: checkid_setup
  • openid.assoc_handle: value_received_from_association,
  • openid.return_to: http://my_host:and_port/?returned=1

AFAICT, I have filled out everything I'm supposed to provide, yet my user's browser gets a page from google which says "The page you requested is invalid". In what way?

+1  A: 

Have you set up RP discovery for your site yet? That's something else you need to do, and Google might be enforcing it now.

http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html

Andrew Arnott
How could this possibly work? The only URL I give to google is the return_to URL, and I know for fact that Google is not trying to access it.
Martin v. Löwis
+2  A: 

The error was literally triggered by not including the openid.claimed_id and openid.identity parameters, which must be set to "http://specs.openid.net/auth/2.0/identifier_select". With these set, I get another error, which can be resolved by also filling out openid.realm, with the same value as openid.return_to.

Even though I also implemented RP discovery, Google does not appear to use it.

Martin v. Löwis
Oh ya, don't know how I missed that. :) Actually, the OpenID spec allows for the absence of `openid.claimed_id` and `openid.identity`, but Google and most OPs don't actually support that behavior.
Andrew Arnott