FailureResponse on otherwise successful OpenID login: Server denied check_authentication

Question

I'm testing OpenID authentication using python-openid on webpy's development web server. Through Yahoo! and myOpenID, I keep getting a failure response with the message Server denied check_authentication. The strange part is, I also receive the correct openid.identity.

The same type of authentication works fine with Google (@ https://www.google.com/accounts/o8/ud...). On one hand, that gives me confidence that I'm doing something right, but on the other hand, the inconsistency confuses me.

return_to & trust_root are both localhost:8080, which may have something to do with it.

Here's the code I use to send the user to Yahoo! to authenticate:

  def POST(self):
    post_data = web.input()
    if post_data.has_key('openid_identifier'):
      openid_identifier = post_data.get('openid_identifier')
      c = Consumer(session, openid.store.memstore.MemoryStore())
      auth = c.begin(openid_identifier)
      auth_url = auth.redirectURL('http://localhost:8080', return_to='http://localhost:8080/authenticate')
      raise web.seeother(auth_url)
    return post_data

auth_url in this case is set to (formatted for easy reading):

https://open.login.yahooapis.com/openid/op/auth?
openid.assoc_handle=cYSO3wJSjQa3ewmRpaQz3YodzqjosP1ta.4TVzumqlLpAFM7oWci6K9bMKG4uuqZ.5m.fY7Wp8BWfQ1eR_soHWpJ6gCsKtxi_7Bqi22T5RUcMIuQBVjpGFSjc_kRY2k-&
openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&
openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&
openid.mode=checkid_setup&
openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=http%3A%2F%2Flocalhost%3A8080&
openid.return_to=http%3A%2F%2Flocalhost%3A8080%2Fauthenticate%3Fjanrain_nonce%3D2010-10-08T02%253A56%253A04ZrxAI

Here's what the handler looks like at the return URL:

  def GET(self):
    data = web.input()
    c = Consumer(session, openid.store.memstore.MemoryStore())
    result = c.complete(dict(data), current_url='http://localhost:8080/authenticate')
    if result.status == SUCCESS:
      openid_identity = data.get('openid.identity')
      ...
    render = web.template.render('templates/', base='layout')
    return render.error(...)

result gets set to <openid.consumer.consumer.FailureResponse id=None message='Server denied check_authentication'>, and data (the query parameters on the return) are set like this:

<Storage {'openid.op_endpoint': u'https://open.login.yahooapis.com/openid/op/auth', 
'openid.sig': u'yCHffpHs2Whtw9p1gPzC+ToQJ0k=', 
'openid.ns': u'http://specs.openid.net/auth/2.0', 
'janrain_nonce': u'2010-10-08T02:56:04ZrxAIWh', 
'openid.return_to': u'http://localhost:8080/authenticate?janrain_nonce=2010-10-08T02%3A56%3A04ZrxAIWh', 
'openid.pape.auth_level.nist': u'0', 
'openid.claimed_id': u'https://me.yahoo.com/a/d3eEQZAWydfmtDwaGB2vBEVU4vIMLsez#1ac56', 
'openid.mode': u'id_res', 
'openid.realm': u'http://localhost:8080', 
'openid.response_nonce': u'2010-10-08T02:55:52ZRLNmEd7aWiaGWjHfhqEQs2Fxj3.nXdwciA--', 
'openid.signed': u'assoc_handle,claimed_id,identity,mode,ns,op_endpoint,response_nonce,return_to,signed,pape.auth_level.nist', 
'openid.identity': u'https://me.yahoo.com/a/d3eEQZAWydfmtDwaGB2vBEVU4vIMLsez', 
'openid.assoc_handle': u'cYSO3wJSjQa3ewmRpaQz3YodzqjosP1ta.4TVzumqlLpAFM7oWci6K9bMKG4uuqZ.5m.fY7Wp8BWfQ1eR_soHWpJ6gCsKtxi_7Bqi22T5RUcMIuQBVjpGFSjc_kRY2k-'}>

That sure doesn't look like a failure response to me. Notice that openid.identity is set. And yes, that is my OpenID identity on Yahoo!.

I'm not sure where to take this from here. Any words of advice?

Answer 1

The consumer needs a data store to maintain state between discovery and authentication. The store I was using, openid.store.memstore.MemoryStore(), did not actually maintain state between requests. It only maintains state within a process -- as you would expect from "memory" (duh). The bit that had to change is the creation of the consumer in both the GET and POST handlers.

Here's the wrong way to create the consumer:

# BAD: MemoryStore() has a short memory -- within the process only
c = Consumer(session, openid.store.memstore.MemoryStore())

And here's the right way to create the consumer:

# GOOD: MySQL has a long memory -- across processes
db = web.database(dbn='mysql', db='somedb', user='someuser', pw='')
conn = db._db_cursor().connection
cstore = sqlstore.MySQLStore(conn, 'openid_associations', 'openid_nonces')
c = Consumer(session, cstore)

I suppose it helps to remember your assoc handles and nonces. I must have been stuck here for 10 hours, so I hope this helps the next guy (or gal) avoid doing the same.

This'll be the first bounty I ever won -- my own. Woot!

Parting note: This assumes you have set up the OpenID tables in your database, which should look like this in MySQL:

create table openid_nonces (
  server_url blob not null,
  timestamp integer not null,
  salt char(40) not null,
  primary key (server_url(255), timestamp, salt)
) engine=InnoDB;

create table openid_associations (
  server_url blob not null,
  handle varchar(255) not null,
  secret blob not null,
  issued integer not null,
  lifetime integer not null,
  assoc_type varchar(64) not null,
  primary key (server_url(255), handle)
) engine=InnoDB;

Check the openid.store.sqlstore section of the documentation for related SQL statements for your specific store.