views:

164

answers:

2

We are attempting to implement OpenID (as a relying party) using the OpenID jQuery plugin (like StackOverflow) and DotNetOpenAuth.

We can't get AOL to work. DotNetOpenAuth redirects using http://openid.aol.com/{username} just fine, but when we successfully authenticate and it redirects back to our site, this code is run: (abbreviated)

using (OpenIdRelyingParty openid = new OpenIdRelyingParty())
{
    // Not sure if we want to stick with this, just trying to get it to WORK once
    openid.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V10;
    openid.SecuritySettings.RejectUnsolicitedAssertions = false;

    IAuthenticationResponse resp = openid.GetResponse();

    // Results:
    // resp.Status == AuthenticationStatus.Failed
    // resp.Exception == DotNetOpenAuth.Messaging.ProtocolException
    // resp.Exception.Message == "Unsolicited assertions are not allowed from 1.0 OpenID Providers."
}

Does anyone know what would cause this? I find it hard to search for what an unsolicited assertion even IS. Or documentation about what version of OpenID it is that AOL supports.

EDIT: Requested log4net logs, here they are:

2010-02-01 09:04:45,217 (GMT-6) [12] INFO  DotNetOpenAuth - DotNetOpenAuth, Version=3.3.1.9337, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official)
2010-02-01 09:04:45,246 (GMT-6) [12] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A//dev.seekitlocal.com/
2010-02-01 09:04:45,254 (GMT-6) [12] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A//dev.seekitlocal.com/
2010-02-01 09:04:56,448 (GMT-6) [10] DEBUG DotNetOpenAuth.Http - HTTP GET http://openid.aol.com/DuctTapeNT
2010-02-01 09:04:56,588 (GMT-6) [10] DEBUG DotNetOpenAuth.Yadis - Total services discovered in HTML: 1
2010-02-01 09:04:56,590 (GMT-6) [10] DEBUG DotNetOpenAuth.Yadis - [{
    ClaimedIdentifier: http://openid.aol.com/DuctTapeNT
    ProviderLocalIdentifier: http://openid.aol.com/DuctTapeNT
    ProviderEndpoint: https://api.screenname.aol.com/auth/openidServer
    OpenID version: 1.1
    Service Type URIs:
        http://openid.net/signon/1.1
},]
2010-02-01 09:04:56,606 (GMT-6) [10] INFO  DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: http://openid.aol.com/DuctTapeNT
2010-02-01 09:04:56,616 (GMT-6) [10] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list.
2010-02-01 09:04:56,616 (GMT-6) [10] INFO  DotNetOpenAuth.OpenId - Creating authentication request for user supplied Identifier: http://openid.aol.com/DuctTapeNT
2010-02-01 09:04:56,638 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckIdRequest (1.1) message.
2010-02-01 09:04:56,712 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement applied to message.
2010-02-01 09:04:56,713 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2010-02-01 09:04:56,715 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement applied to message.
2010-02-01 09:04:56,716 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2010-02-01 09:04:56,718 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message.
2010-02-01 09:04:56,724 (GMT-6) [10] INFO  DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckIdRequest (1.1) message for https://api.screenname.aol.com/auth/openidServer: 
    openid.identity: http://openid.aol.com/DuctTapeNT
    openid.return_to: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT
    openid.trust_root: http://*.seekitlocal.com/
    openid.mode: checkid_setup
    openid.ns.sreg: http://openid.net/extensions/sreg/1.1
    openid.sreg.required: 
    openid.sreg.optional: email,fullname,gender,country

2010-02-01 09:04:56,726 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Sending message: CheckIdRequest
2010-02-01 09:04:56,730 (GMT-6) [10] DEBUG DotNetOpenAuth.Http - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.identity=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.return_to=http%3A%2F%2Fdev.seekitlocal.com%2Fuser%2Flogin.aspx%3FReturnUrl%3Dhttp%253A%252F%252Fdev.seekitlocal.com%252F%26dnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fapi.screenname.aol.com%252Fauth%252FopenidServer%26dnoa.claimed_id%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT&openid.trust_root=http%3A%2F%2F%2A.seekitlocal.com%2F&openid.mode=checkid_setup&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.sreg.required=&openid.sreg.optional=email%2Cfullname%2Cgender%2Ccountry
2010-02-01 09:05:13,253 (GMT-6) [10] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.assoc_handle=diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%253D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%252BBcrVIrSAI%253D&openid.return_to=http%3A%2F%2Fdev.seekitlocal.com%2Fuser%2Flogin.aspx%3FReturnUrl%3Dhttp%253A%252F%252Fdev.seekitlocal.com%252F%26dnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fapi.screenname.aol.com%252Fauth%252FopenidServer%26dnoa.claimed_id%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT&openid.signed=identity%2Creturn_to&openid.sig=utUiJJNfsRYobq3BiPraBubeI9c%3D
2010-02-01 09:05:13,254 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.assoc_handle=diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%253D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%252BBcrVIrSAI%253D&openid.return_to=http%3A%2F%2Fdev.seekitlocal.com%2Fuser%2Flogin.aspx%3FReturnUrl%3Dhttp%253A%252F%252Fdev.seekitlocal.com%252F%26dnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fapi.screenname.aol.com%252Fauth%252FopenidServer%26dnoa.claimed_id%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT&openid.signed=identity%2Creturn_to&openid.sig=utUiJJNfsRYobq3BiPraBubeI9c%3D
2010-02-01 09:05:13,271 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: PositiveAssertionResponse
2010-02-01 09:05:13,277 (GMT-6) [10] INFO  DotNetOpenAuth.Messaging.Channel - Processing incoming PositiveAssertionResponse (1.1) message:
    openid.identity: http://openid.aol.com/DuctTapeNT
    openid.sig: utUiJJNfsRYobq3BiPraBubeI9c=
    openid.signed: identity,return_to
    openid.assoc_handle: diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%3D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%2BBcrVIrSAI%3D
    openid.return_to: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT
    openid.response_nonce: 2010-02-01T15:05:13Z
    openid.mode: id_res
    ReturnUrl: http://dev.seekitlocal.com/
    dnoa.userSuppliedIdentifier: http://openid.aol.com/DuctTapeNT
    dnoa.op_endpoint: https://api.screenname.aol.com/auth/openidServer
    dnoa.claimed_id: http://openid.aol.com/DuctTapeNT

2010-02-01 09:05:13,282 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
2010-02-01 09:05:13,286 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement applied to message.
2010-02-01 09:05:13,289 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Verifying incoming PositiveAssertionResponse message signature of: utUiJJNfsRYobq3BiPraBubeI9c=
2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckAuthenticationRequest (1.1) message.
2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement did not apply to message.
2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2010-02-01 09:05:13,309 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message.
2010-02-01 09:05:13,310 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message.
2010-02-01 09:05:13,312 (GMT-6) [10] INFO  DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckAuthenticationRequest (1.1) message for https://api.screenname.aol.com/auth/openidServer: 
    openid.return_to: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT
    openid.mode: check_authentication
    openid.identity: http://openid.aol.com/DuctTapeNT
    openid.sig: utUiJJNfsRYobq3BiPraBubeI9c=
    openid.signed: identity,return_to
    openid.assoc_handle: diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%3D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%2BBcrVIrSAI%3D
    openid.response_nonce: 2010-02-01T15:05:13Z
    ReturnUrl: http://dev.seekitlocal.com/
    dnoa.userSuppliedIdentifier: http://openid.aol.com/DuctTapeNT
    dnoa.op_endpoint: https://api.screenname.aol.com/auth/openidServer
    dnoa.claimed_id: http://openid.aol.com/DuctTapeNT

2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Sending CheckAuthenticationRequest request.
2010-02-01 09:05:13,548 (GMT-6) [10] DEBUG DotNetOpenAuth.Http - HTTP POST https://api.screenname.aol.com/auth/openidServer
2010-02-01 09:05:13,612 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Received CheckAuthenticationResponse response.
2010-02-01 09:05:13,612 (GMT-6) [10] INFO  DotNetOpenAuth.Messaging.Channel - Processing incoming CheckAuthenticationResponse (1.1) message:
    is_valid: true
    openid.mode: id_res

2010-02-01 09:05:13,613 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
2010-02-01 09:05:13,613 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2010-02-01 09:05:13,613 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message.
2010-02-01 09:05:13,615 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2010-02-01 09:05:13,616 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2010-02-01 09:05:13,619 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message.
2010-02-01 09:05:13,620 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2010-02-01 09:05:13,624 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement did not apply to message.
2010-02-01 09:05:13,625 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - After binding element processing, the received CheckAuthenticationResponse (1.1) message is: 
    is_valid: true
    openid.mode: id_res

2010-02-01 09:05:13,626 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement applied to message.
2010-02-01 09:05:13,627 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement applied to message.
2010-02-01 09:05:13,627 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2010-02-01 09:05:13,627 (GMT-6) [10] ERROR DotNetOpenAuth.OpenId - Incoming message is expected to have a nonce, but the return_to parameter is not signed.
2010-02-01 09:05:13,629 (GMT-6) [10] ERROR DotNetOpenAuth.Messaging - Protocol error: Unsolicited assertions are not allowed from 1.0 OpenID Providers.
   at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args)
   at DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement.ProcessIncomingMessage(IProtocolMessage message)
   at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message)
   at DotNetOpenAuth.OpenId.ChannelElements.OpenIdChannel.ProcessIncomingMessage(IProtocolMessage message)
   at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest)
   at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo)
   at IDM.Controls.OpenIDLogin.OnInit(EventArgs e)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.HttpContext.InvokeCancellableCallback(WaitCallback callback, Object state)
   at System.Web.UI.Page.AsyncPageBeginProcessRequest(HttpContext context, AsyncCallback callback, Object extraData)
   at IDM.Components.SILBasePage.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
A: 

"unsolicited assertion" means that your application thinks AOL sent someone over with an id_res message without your application ever doing a checkid_setup for that identifier. I'll leave it to Andrew to say how DotNetOpenAuth deals with that or AOL.

('cuz it works in Python.)

keturn
+1  A: 

I believe what's going on here is that the OpenIdRelyingParty instance you use to create the authentication request is in stateless ("dumb") mode. That is, you pass null to its constructor, or you set Stateless="true" on one of the ASP.NET controls. But when the authentication response comes back, you process that response with an OpenIdRelyingParty instance that was created in stateful mode (you didn't pass null explicitly to its constructor).

This results in an incompatibility in the authentication response. The request is created with a lower level of security because the state required for that extra security is not available. But when the authentication response comes back, state is available so the security requirements are higher, and the response to the lower-level request is rejected.

It's a good idea to just create one OpenIdRelyingParty instance, store it in a static field somewhere, and then use it for all your logins. It's thread-safe and specifically designed for this. It will help you avoid this kind of problem in the future, and be a bit more performant as well.

By the way, I also expect you are explicitly setting SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V10 on the OpenIdRelyingParty instance after creating it, or else I don't think that stateless mode would have permitted working with AOL. Stateless mode RP at your site and OpenID 1.1 Providers are a low-security combination that DotNetOpenAuth defaults to disallowing because the protocol is vulnerable to replay attacks. Just so you know what you're overriding there (if you are in fact doing that).

(Wow. That was a lot of digging in the logs...)

Andrew Arnott
You were right - I was using separate OpenIdRelyingParty instances to initiate and complete the login process, and one of them was not passing null in the constructor. I was operating under the assumption that a class that implements IDisposable should be disposed, so it's good to hear that it's safe to instantiate one static instance. I was using stateless because I was planning for a load-balanced environment - would you recommend implementing an IRelyingPartyApplicationStore in order to achieve safety from attacks with AOL and other OpenID 1.1 providers?
David
I always recommend a state store if you can implement it. Otherwise, I'd leave OpenID 1.1 OP support at its stateless default of off. AOL ought to be about done with their 2.0 OP launch pretty soon here anyway.
Andrew Arnott