Errors with python-openid and Google Apps Federated Login

Question

UPDATE

I managed to get it working although I'm not quite sure why ;) It seems like python-openid uses a POST-request to issue the openid mode=associate and for some reason Google doesn't like that. When I patched python-openid to use a GET-request instead everything worked fine. I'll continue my investigation and update this post when I have more information. Below is the diff for my change.

--- python-openid-2.2.1.orig/openid/consumer/consumer.py
+++ python-openid-2.2.1/openid/consumer/consumer.py
@@ -229,6 +229,20 @@
     # Process response in separate function that can be shared by async code.
     return _httpResponseToMessage(resp, server_url)

+def makeKVGet(request_message, server_url):
+    """Make a Direct Request to an OpenID Provider and return the
+    result as a Message object.
+
+    @raises openid.fetchers.HTTPFetchingError: if an error is
+        encountered in making the HTTP post.
+
+    @rtype: L{openid.message.Message}
+    """
+    # XXX: TESTME
+    resp = fetchers.fetch(request_message.toURL(server_url))
+
+    # Process response in separate function that can be shared by async code.
+    return _httpResponseToMessage(resp, server_url)

 def _httpResponseToMessage(response, server_url):
     """Adapt a POST response to a Message.
@@ -682,6 +696,7 @@
         return True

     _makeKVPost = staticmethod(makeKVPost)
+    _makeKVGet = staticmethod(makeKVGet)

     def _checkSetupNeeded(self, message):
         """Check an id_res message to see if it is a
@@ -1258,7 +1273,7 @@
             endpoint, assoc_type, session_type)

         try:
-            response = self._makeKVPost(args, endpoint.server_url)
+            response = self._makeKVGet(args, endpoint.server_url)
         except fetchers.HTTPFetchingError, why:
             oidutil.log('openid.associate request failed: %s' % (why[0],))
             return None

Old question, preserved for context

I've been trying desperately to get the trac-authopenid plugin to work but with no luck.

We use Google Apps Premier at work so I'm trying to get openid auth working with that. I think I've set up all the required stuff (XRDS and such) as far as google is concerned and I've gotten it to work fine with apache2 + mod-auth-openid as well as using it on other sites (SO for example).

But I can't seem to get it to work with trac-authopenid. I get redirected (via a form post, not a redirect as usual) to Google where I get to log in but when I return the plugin simply states that validation failed.

If i turn on debug logging I get this (I've replaced our domain name with example.com)

2010-01-27 12:21:15,811 Trac[authopenid] DEBUG: beginning OpenID authentication.
2010-01-27 12:21:16,866 Trac[authopenid] DEBUG: kvToSeq warning: Line 1 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n
2010-01-27 12:21:16,866 Trac[authopenid] DEBUG: kvToSeq warning: Line 2 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n
2010-01-27 12:21:16,866 Trac[authopenid] DEBUG: kvToSeq warning: Line 3 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n
    ... snipped, repeats until line 9...
2010-01-27 12:21:16,867 Trac[authopenid] DEBUG: openid.associate request failed: bad status code from server https://www.google.com/a/example.com/o8/ud?be=
2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root href: /trac
2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root abs_href: https://developer.example.com/trac
2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root href: /trac
2010-01-27 12:21:16,868 Trac[authopenid] DEBUG: _get_trust_root abs_href: https://developer.example.com/trac
2010-01-27 12:21:16,869 Trac[authopenid] DEBUG: Generated checkid_setup request to https://www.google.com/a/example.com/o8/ud?be=o8 using stateless mode.
2010-01-27 12:21:18,068 Trac[main] DEBUG: Dispatching <Request "GET u'/openidprocess'">
2010-01-27 12:21:18,075 Trac[session] DEBUG: Retrieving session for ID '25a842642693232301aad341'
2010-01-27 12:21:18,078 Trac[authopenid] DEBUG: Error attempting to use stored discovery information: <openid.consumer.consumer.TypeURIMismatch: Required ty
2010-01-27 12:21:18,078 Trac[authopenid] DEBUG: Attempting discovery to verify endpoint
2010-01-27 12:21:18,078 Trac[authopenid] DEBUG: Performing discovery on http://example.com/openid?id=113663311178245814720
2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: Received id_res response from https://www.google.com/a/example.com/o8/ud?be=o8 using association AOQobUefon
2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: Using OpenID check_authentication
2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: op_endpoint
2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: claimed_id
2010-01-27 12:21:18,121 Trac[authopenid] DEBUG: identity
2010-01-27 12:21:18,122 Trac[authopenid] DEBUG: return_to
2010-01-27 12:21:18,122 Trac[authopenid] DEBUG: response_nonce
2010-01-27 12:21:18,122 Trac[authopenid] DEBUG: assoc_handle
2010-01-27 12:21:18,576 Trac[authopenid] DEBUG: kvToSeq warning: Line 1 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n
2010-01-27 12:21:18,577 Trac[authopenid] DEBUG: kvToSeq warning: Line 2 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n
2010-01-27 12:21:18,577 Trac[authopenid] DEBUG: kvToSeq warning: Line 3 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n
    ... snipped, repeats until line 9...
2010-01-27 12:21:18,578 Trac[authopenid] DEBUG: check_authentication failed: bad status code from server https://www.google.com/a/example.com/o8/ud?be=o8: 501

I tried writing some code directly against the python-openid library in order to narrow it down a little but I'm clueless. I've been able to reproduce the error with this code snippet:

from openid.store.memstore import MemoryStore
from openid.consumer import consumer

session = { 'id' : 'foobar' }
store = MemoryStore()
consumer = consumer.Consumer(session, store)
consumer.begin('https://www.google.com/accounts/o8/site-xrds?hd=example.com')

Which consistently outputs

kvToSeq warning: Line 1 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Not Implemented</H1>\n<H2>Error 501</H2>\n</BODY>\n</HTML>\n'
kvToSeq warning: Line 2 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Not Implemented</H1>\n<H2>Error 501</H2>\n</BODY>\n</HTML>\n'
kvToSeq warning: Line 3 does not contain a colon: '<HTML>\n<HEAD>\n<TITLE>Not Implemented</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Not Implemented</H1>\n<H2>Error 501</H2>\n</BODY>\n</HTML>\n'
... snip ...
openid.associate request failed: bad status code from server https://www.google.com/a/example.com/o8/ud?be=o8: 501

Some version numbers:

Python 2.6.2
trac-authopenid 0.1.6
python-openid 2.2.1

I'm at a complete loss and I could really use some help.

Answer 1

Okay. I don't have an Apps account so I can't test logging in, but I can successfully associate with an apps domain with python-openid 2.2.4. Here's a little debugging tool for making association requests: http://gist.github.com/288560

Your patch should not have fixed things; associate requests are always POSTs. And the Ruby library also always POSTs, so unless rpxnow has made some unusual modifications, rpxnow shouldn't work when python-openid fails here.

I was about to ask you about the openid.store on your install, but if your minimal example with the MemoryStore reproduces it, that's not it.

I guess the only thing left I have for you is to suggest that you ask Google Apps customer support.