problem with openid check_authentication

Question

Hi,

I have some trouble using the openid check_authentication. The answer from the openid providers (I tried with google and myopenid) is always: is_valid:false

I do already get the openid.sig and openid.identity but when I try to verify my data with the check_authentication call it always returns is_valid:false.

What I have done so far (authentication with google openid in this example, but for myopenid it was the same):

I redirect the web user from my page to the following url:

https://www.google.com/accounts/o8/ud ?openid.ns=http://specs.openid.net/auth/2.0 &openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select &openid.identity=http://specs.openid.net/auth/2.0/identifier_select &openid.return_to=http://localhost:104/evalgoogle.aspx &openid.mode=checkid_setup

(Without the line breaks of course, I put them in this post only to keep it readable. localhost:104/evalgoogle.aspx is my local test environment)

I will then get redirected to the google login page where I can sign in and accept that I will login at Localhost. I unchecked the remember checkbox though.

After logging in I will get redirected to the return_to page I set and get the following data in the request:

openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0 &openid.mode=id_res &openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud &openid.response_nonce=2010-02-12T14%3A46%3A52Z1PDyxBssEN9p5g &openid.return_to=http%3A%2F%2Flocalhost%3A104%2Fevalgoogle.aspx &openid.assoc_handle=AOQobUfpVnBFYzFO15z92rru88nWjEnw0u8ethVscpjDwkssp8GjVc0u &openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to %2Cresponse_nonce%2Cassoc_handle &openid.sig=24Hetky5HrNwrY3%2B%2B2vtIGnvmnI%3D &openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D{SOMEID} &openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D{SOMEID}

(where {SOMEID} is my google id)

To verify this signature and google id, I composed a webrequest calling the check_authentication as described in openid.net/specs/openid-authentication-1_1.html#mode_check_authentication

My problem now is that this always returned is_valid:false

To eliminate possible problems in my webrequest, I now create just a html form with the data I get back from google like this:

<form method="post" action="<%=Request.Params["openid.op_endpoint"] %>">
<div>
<input type="text" name="openid.mode" value="check_authentication" />
<input type="text" name="openid.assoc_handle" value="<

%=Request.Params["openid.assoc_handle"] %>" /> " /> " /> " /> " /> " /> " />

But this also just yields the is_valid:false

Does anyone have an idea what is wrong with my approach?

Thank you very much

Answer 1

Ah, I found the problem. I forgot to send back the openid.claimed_id.

Now the check_authentication request does in fact return is_valid:true.

But this leads me to the next question. It does return is_valid:true even if I do the request several times in a row. Shouldn't it return is_valid:false the second time I query to make sure that there can only be one corresponding checkid_setup und check_authentication request?