req = openid.CreateRequest(OpenIDOP, realm);
Any idea why this would be so slow? > 5 seconds.
:
2010-03-11 12:50:00,117 [3] INFO DotNetOpenAuth - DotNetOpenAuth,
Version=3.4.0.10015, Culture=neutral, PublicKeyToken=2780ccd10d57b246
(official)
2010-03-11 12:50:00,137 [3] INFO DotNetOpenAuth - Reporting will use
isolated storage with scope: User, Domain, Assembly
2010-03-11 12:50:00,329 [3] INFO DotNetOpenAuth.Messaging.Channel -
Scanning incoming request for messages:
http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.worth1000.com&redirectto=%2fgooglebrowser%3fgdomain%3dprem-test.worth1000.com%26gdomainhash%3dc28c476114aab901bb125172819e21d0
2010-03-11 12:50:00,611 [3] INFO DotNetOpenAuth.Yadis - Found host-
meta for prem-test.worth1000.com at:
https://www.google.com/accounts/o8/.well-known/host-meta?hd=prem-test.worth1000.com
2010-03-11 12:50:00,612 [3] INFO DotNetOpenAuth.Yadis - Found link to
XRDS at https://www.google.com/accounts/o8/site-xrds?ns=2&hd=prem-test.worth1000.com
in host-meta document https://www.google.com/accounts/o8/.well-known/host-meta?hd=prem-test.worth1000.com.
2010-03-11 12:50:05,616 [3] ERROR DotNetOpenAuth.Http - WebException
from https://www.google.com/accounts/o8/user-xrds?uri=http:%2F%2Fprem-test.worth1000.com%2F:
<!DOCTYPE html>
<html>
<head>
<title>Google Accounts</title>
<style type="text/css">
body {font-family: arial,sans-serif;}
.body {margin: 15px 15px; }
</style>
</head>
<body dir="" ><style type="text/css">
.aligns {
text-align: ;
}
.margins {
margin-: 13px;
}
.floats-normal {
float: ;
}
.floats-reverse {
float: ;
margin-top: 17px;
}
</style>
<div class="header margins" style="height: 59px; margin: 33px 15px
9px 15px;">
<img src="https://www.google.com/intl//images/logos/
accounts_logo.gif" alt="Google Accounts" height="40px;"/>
</div>
<div style="clear:both;"></div>
<div class="body">
</div>
<div class="footer" style="color: #666; font-size: smaller; margin:
50px 15px 0 15px; text-align: center;">
©2009 Google -
<a href="http://www.google.com">Google Home</a> -
<a href="https://www.google.com/accounts/TOS?hl=">Terms of Service</
a> -
<a href="http://www.google.com/intl//privacy.html">Privacy Policy</
a> -
<a href="http://www.google.com/support/accounts?hl=">Help</a>
</div>
</body>
</html>
2010-03-11 12:50:05,617 [3] WARN DotNetOpenAuth.Yadis - HTTP GET
error while retrieving described-by XRDS document
https://www.google.com/accounts/o8/user-xrds?uri=http%3A%2F%2Fprem-test.worth1000.com%2F:
DotNetOpenAuth.Messaging.ProtocolException: Error occurred while
sending a direct message or getting the response. --->
System.Net.WebException: The remote server returned an error: (400)
Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at
DotNetOpenAuth.Messaging.StandardWebRequestHandler.GetResponse(HttpWebRequest
request, DirectWebRequestOptions options) in c:\TeamCity\buildAgent
\work\bf9e2ca68b75a334\src\DotNetOpenAuth\Messaging
\StandardWebRequestHandler.cs:line 126
--- End of inner exception stack trace ---
at
DotNetOpenAuth.Messaging.StandardWebRequestHandler.GetResponse(HttpWebRequest
request, DirectWebRequestOptions options) in c:\TeamCity\buildAgent
\work\bf9e2ca68b75a334\src\DotNetOpenAuth\Messaging
\StandardWebRequestHandler.cs:line 172
at
DotNetOpenAuth.Messaging.UntrustedWebRequestHandler.GetResponse(HttpWebRequest
request, DirectWebRequestOptions options) in c:\TeamCity\buildAgent
\work\bf9e2ca68b75a334\src\DotNetOpenAuth\Messaging
\UntrustedWebRequestHandler.cs:line 250
at
DotNetOpenAuth.OpenId.HostMetaDiscoveryService.GetXrdsResponse(UriIdentifier
identifier, IDirectWebRequestHandler requestHandler, Uri xrdsLocation)
in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src\DotNetOpenAuth
\OpenId\HostMetaDiscoveryService.cs:line 306
at
DotNetOpenAuth.OpenId.HostMetaDiscoveryService.GetExternalServices(IEnumerable`1
xrds, UriIdentifier identifier, IDirectWebRequestHandler
requestHandler) in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src
\DotNetOpenAuth\OpenId\HostMetaDiscoveryService.cs:line 191
2010-03-11 12:50:05,745 [3] INFO DotNetOpenAuth.OpenId - Further
discovery on 'http://prem-test.worth1000.com/' was stopped by the
HostMetaDiscoveryService discovery service.
2010-03-11 12:50:05,758 [3] INFO DotNetOpenAuth.Yadis - Performing
discovery on user-supplied identifier: http://prem-test.worth1000.com/
2010-03-11 12:50:05,832 [3] INFO DotNetOpenAuth.Messaging.Channel -
Prepared outgoing AssociateUnencryptedRequest (2.0) message for
https://www.google.com/a/prem-test.worth1000.com/o8/ud?be=o8:
openid.assoc_type: HMAC-SHA256
openid.session_type: no-encryption
openid.mode: associate
openid.ns: http://specs.openid.net/auth/2.0
2010-03-11 12:50:06,317 [3] INFO DotNetOpenAuth.Messaging.Channel -
Processing incoming AssociateUnencryptedResponse (2.0) message:
mac_key: Eq6fvsEcAqQyzp3xBa8hXvHzikjcuEbp+g0K50kG+k8=
assoc_handle:
AOQobUfy3qs9tRcrPLiW-8eXmr6CqkmDndW_e76-9lV5lKRIDiEFVU0PWhtXjf3c97WeswpZ
assoc_type: HMAC-SHA256
session_type: no-encryption
expires_in: 46800
ns: http://specs.openid.net/auth/2.0
2010-03-11 12:50:06,394 [3] INFO DotNetOpenAuth.Messaging.Channel -
Prepared outgoing CheckIdRequest (2.0) message for
https://www.google.com/a/prem-test.worth1000.com/o8/ud?be=o8:
openid.claimed_id: http://specs.openid.net/auth/2.0/identifier_select
openid.identity: http://specs.openid.net/auth/2.0/identifier_select
openid.assoc_handle:
AOQobUfy3qs9tRcrPLiW-8eXmr6CqkmDndW_e76-9lV5lKRIDiEFVU0PWhtXjf3c97WeswpZ
openid.return_to:
http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.worth1000.com&redirectto=%2Fgooglebrowser%3Fgdomain%3Dprem-test.worth1000.com%26gdomainhash%3Dc28c476114aab901bb125172819e21d0&dnoa.userSuppliedIdentifier=prem-test.worth1000.com
openid.realm: http://chicken/
openid.mode: checkid_setup
openid.ns: http://specs.openid.net/auth/2.0
openid.ns.alias3: http://openid.net/srv/ax/1.0
openid.alias3.required: alias1
openid.alias3.mode: fetch_request
openid.alias3.type.alias1: http://axschema.org/contact/email
openid.alias3.count.alias1: 1
2010-03-11 12:50:06,649 [3] INFO DotNetOpenAuth.Messaging.Channel -
Scanning incoming request for messages:
http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.worth1000.com&redirectto=%2Fgooglebrowser%3Fgdomain%3Dprem-test.worth1000.com%26gdomainhash%3Dc28c476114aab901bb125172819e21d0&dnoa.userSuppliedIdentifier=prem-test.worth1000.com&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Fa%2Fprem-test.worth1000.com%2Fo8%2Fud%3Fbe%3Do8&openid.response_nonce=2010-03-11T17%3A50%3A03Z-aof1O9Xzzc21g&openid.return_to=http%3A%2F%2Fchicken%2Fmarketplace%2Fwebv2%2Floginopenid.aspx%3Fgdomain%3Dprem-test.worth1000.com%26redirectto%3D%252Fgooglebrowser%253Fgdomain%253Dprem-test.worth1000.com%2526gdomainhash%253Dc28c476114aab901bb125172819e21d0%26dnoa.userSuppliedIdentifier%3Dprem-test.worth1000.com&openid.assoc_handle=AOQobUfy3qs9tRcrPLiW-8eXmr6CqkmDndW_e76-9lV5lKRIDiEFVU0PWhtXjf3c97WeswpZ&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.alias1%2Cext1.value.alias1&openid.sig=4JtdHn8yjyDflxUdj27wL4g8Cw2rcfdEnshIfrTbizI%3D&openid.identity=http%3A%2F%2Fprem-test.worth1000.com%2Fopenid%3Fid%3D106682635961859422467&openid.claimed_id=http%3A%2F%2Fprem-test.worth1000.com%2Fopenid%3Fid%3D106682635961859422467&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.alias1=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.alias1=iderdik%40prem-test.worth1000.com
2010-03-11 12:50:06,658 [3] INFO DotNetOpenAuth.Messaging.Channel -
Processing incoming PositiveAssertionResponse (2.0) message:
openid.claimed_id: http://prem-test.worth1000.com/openid?id=106682635961859422467
openid.identity: http://prem-test.worth1000.com/openid?id=106682635961859422467
openid.sig: 4JtdHn8yjyDflxUdj27wL4g8Cw2rcfdEnshIfrTbizI=
openid.signed:
op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.alias1,ext1.value.alias1
openid.assoc_handle:
AOQobUfy3qs9tRcrPLiW-8eXmr6CqkmDndW_e76-9lV5lKRIDiEFVU0PWhtXjf3c97WeswpZ
openid.op_endpoint: https://www.google.com/a/prem-test.worth1000.com/o8/ud?be=o8
openid.return_to:
http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.worth1000.com&redirectto=%2Fgooglebrowser%3Fgdomain%3Dprem-test.worth1000.com%26gdomainhash%3Dc28c476114aab901bb125172819e21d0&dnoa.userSuppliedIdentifier=prem-test.worth1000.com
openid.response_nonce: 2010-03-11T17:50:03Z-aof1O9Xzzc21g
openid.mode: id_res
openid.ns: http://specs.openid.net/auth/2.0
gdomain: prem-test.worth1000.com
redirectto: /googlebrowser?gdomain=prem-
test.worth1000.com&gdomainhash=c28c476114aab901bb125172819e21d0
dnoa.userSuppliedIdentifier: prem-test.worth1000.com
openid.ns.ext1: http://openid.net/srv/ax/1.0
openid.ext1.mode: fetch_response
openid.ext1.type.alias1: http://axschema.org/contact/email
openid.ext1.value.alias1: ide...@prem-test.worth1000.com
2010-03-11 12:50:06,839 [3] INFO DotNetOpenAuth.Yadis - Found host-
meta for prem-test.worth1000.com at:
https://www.google.com/accounts/o8/.well-known/host-meta?hd=prem-test.worth1000.com
2010-03-11 12:50:06,839 [3] INFO DotNetOpenAuth.Yadis - Found link to
XRDS at https://www.google.com/accounts/o8/site-xrds?ns=2&hd=prem-test.worth1000.com
in host-meta document https://www.google.com/accounts/o8/.well-known/host-meta?hd=prem-test.worth1000.com.
2010-03-11 12:50:16,491 [3] INFO DotNetOpenAuth.OpenId - Further
discovery on 'http://prem-test.worth1000.com/openid?
id=106682635961859422467' was stopped by the HostMetaDiscoveryService
discovery service.
2010-03-11 12:50:16,492 [3] INFO DotNetOpenAuth.OpenId - Received
identity assertion for http://prem-test.worth1000.com/openid?id=106682635961859422467
via https://www.google.com/a/prem-test.worth1000.com/o8/ud?be=o8.
On Mar 11, 12:07 pm, Øyvind Sean Kinsey <oyv...@kinsey.no> wrote:
> You should enable logging similar to the one used in the samples, for
> instance the OpenIdRelyingPartyWebForms.
> Add the log4net dll, the config sections and adjust the log4net appenders to
> your likeing, the RollingFileAppender is probably the easiest to use.
>
> That way you can see each action performed by DNOA in order to run
> CreateRequest(..
>
> Øyvind Sean Kinsey
> oyv...@kinsey.nohttp://kinsey.no/blog/index.php/about/
Andrew, the slow down is happening well before I call req.RedirectToProvider(); Does CreateRequest make an HTTP call too?
On Mar 11, 7:37 pm, Andrew Arnott <andrewarn...@gmail.com> wrote:
> > Andrew, the slow down is happening well before I call
> > req.RedirectToProvider(); Does CreateRequest make an HTTP call too?
>
> Yes, absolutely. CreateRequest must perform "discovery" on the identifier
> you pass to it, which requires at least one, perhaps several, outbound HTTP
> requests. These may take time, or in the case suggested by the logs you
> included, may even fail at times due to slow servers hosting the OpenID
> identifier, or just server failure. It looks like the remote server is
> returning HTTP 400 responses, indicating a configuration problem on the
> remote end.
>
> Since this looks like a Google Apps for Domains scenario, I'd contact the
> domain admin or Google support to find out what configuration could possibly
> be wrong that would result in an HTTP 400 coming back from them.
>
> That said, it looks like a subsequent request attempt in your log succeeded.
> I don't know what would explain Google failing a response on one instance
> and succeeding on the next.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> 2010/3/11 iZ <ider...@gmail.com>
>
>
>
> > Ok - I've enabled logging and the results look interesting (big paste
> > below). Any idea what those WebExceptions are?
>
> > :
>
> > 2010-03-11 12:50:00,117 [3] INFO DotNetOpenAuth - DotNetOpenAuth,
> > Version=3.4.0.10015, Culture=neutral, PublicKeyToken=2780ccd10d57b246
> > (official)
> > 2010-03-11 12:50:00,137 [3] INFO DotNetOpenAuth - Reporting will use
> > isolated storage with scope: User, Domain, Assembly
> > 2010-03-11 12:50:00,329 [3] INFO DotNetOpenAuth.Messaging.Channel -
> > Scanning incoming request for messages:
>
> >http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.w...
> > 2010-03-11 12:50:00,611 [3] INFO DotNetOpenAuth.Yadis - Found host-
> > meta for prem-test.worth1000.com at:
>
> >https://www.google.com/accounts/o8/.well-known/host-meta?hd=prem-test...
> > 2010-03-11 12:50:00,612 [3] INFO DotNetOpenAuth.Yadis - Found link to
> > XRDS at
> >https://www.google.com/accounts/o8/site-xrds?ns=2&hd=prem-test.worth1...
> > in host-meta document
> >https://www.google.com/accounts/o8/.well-known/host-meta?hd=prem-test....
> > 2010-03-11 12:50:05,616 [3] ERROR DotNetOpenAuth.Http - WebException
> > from
> >https://www.google.com/accounts/o8/user-xrds?uri=http:%2F%2Fprem-test...
> >https://www.google.com/accounts/o8/user-xrds?uri=http%3A%2F%2Fprem-te...
> > DotNetOpenAuth.OpenId.HostMetaDiscoveryService.GetExternalServices(IEnumera ble`1
> >http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.w...
> > openid.realm:http://chicken/
> > openid.mode: checkid_setup
> > openid.ns:http://specs.openid.net/auth/2.0
> > openid.ns.alias3:http://openid.net/srv/ax/1.0
> > openid.alias3.required: alias1
> > openid.alias3.mode: fetch_request
> > openid.alias3.type.alias1:http://axschema.org/contact/email
> > openid.alias3.count.alias1: 1
>
> > 2010-03-11 12:50:06,649 [3] INFO DotNetOpenAuth.Messaging.Channel -
> > Scanning incoming request for messages:
>
> >http://chicken/marketplace/webv2/loginopenid.aspx?gdomain=prem-test.w...
> > 2010-03-11 12:50:06,658 [3] INFO DotNetOpenAuth.Messaging.Channel -
> > Processing incoming PositiveAssertionResponse (2.0) message:
> > openid.claimed_id:
> >http://prem-test.worth1000.com/openid?id=106682635961859422467
> > openid.identity:
> >http://prem-test.worth1000.com/openid?id=106682635961859422467
> > openid.sig: 4JtdHn8yjyDflxUdj27wL4g8Cw2rcfdEnshIfrTbizI=
> > openid.signed:
>
> > op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ex t1,ext1.mode,ext1.type.alias1,ext1.value.alias1
> > openid.assoc_handle:
> > AOQobUfy3qs9tRcrPLiW-8eXmr6CqkmDndW_e76-9lV5lKRIDiEFVU0PWhtXjf3c97WeswpZ...
>
> read more »
It looks like all requests to https://www.google.com/accounts/o8/user-xrds?....
failed. Which is the call for user discovery that succeeded? Is it
possible to force the code to query there first?
----
As for why the user XRDS lookup is failing, the thing that looks odd
with what you sent is the uri parameter should be the full claimed ID
of the user (and properly URI encoded.) It should look more like:
Not sure if it is really making that particular request or if it just
got truncated in the logs. But its worth looking into more to see if
there is a bug in your code or in the underlying library regarding how
it is doing the user xrds lookup.
----
Does this make sense and is it correctable in the library?
On Mar 12, 1:31 pm, Andrew Arnott <andrewarn...@gmail.com> wrote:
> request. But please file a bug onhttp://trac.dotnetopenauth.net/<http://trac.dotnetopenauth.net:8000/>
On Mar 16, 11:43 am, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Yes, it does make sense and seems to agree with my own analysis. They
> didn't seem to address the extremely slow request though -- only that the
> request shouldn't be made.
>
> Can you open a bug for this onhttp://trac.dotnetopenauth.net/
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> 2010/3/16 iZ <ider...@gmail.com>
>
>
>
> > Andrew, I sent this question to Google to see if there is anything
> > wrong on their end and this was the response I got:
>
> > ----
> > As for why the user XRDS lookup is failing, the thing that looks odd
> > with what you sent is the uri parameter should be the full claimed ID
> > of the user (and properly URI encoded.) It should look more like:
>
> >http://www.google.com/accounts/o8/user-xrds?uri=http%3A%2F%2Fprem-tes...
On Mar 12, 10:31 am, Andrew Arnott <andrewarn...@gmail.com> wrote:
> On Fri, Mar 12, 2010 at 7:04 AM, iZ <ider...@gmail.com> wrote:
> > It looks like all requests to
> >https://www.google.com/accounts/o8/user-xrds?....
> > failed. Which is the call for user discovery that succeeded? Is it
> > possible to force the code to query there first?
>
> The succeeding call to user-xrds?... is not shown in the log because for
> that particular request only failures are logged. The failure doesn't cause
> overall login failure because that was a step of looking for user service
> endpoints during the phase when really we're only interested in the OP
> service endpoint, which we can find right in that XRDS.
>
> I think there is room for optimization here, in that we may not need to
> check for the user-xrds file until after we've received an assertion. That
> would avoid the exception you're seeing here.
>
> That said, the fact that Google took 5 seconds to respond with an error
> seems unacceptably slow on their part. When I tested it on my machine the
> first time logging it also took around 5 seconds. After that it went much
> more quickly -- oddly.
>
> I'll research this further to see if we can safely avoid the first user-xrds
> request. But please file a bug onhttp://trac.dotnetopenauth.net/<http://trac.dotnetopenauth.net:8000/>
--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.
The hang wasn't caused by X509Certificate.Verify() and
X509Chain.Build(), was it? I later realized that's what the real
problem was, at least on my machine. Where can I get the new build?
> > dotnetopenid...@googlegroups.com<dotnetopenid%2Bunsubscribe@google groups.com>
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
It turns out the sole reason for the slowness I was seeing was the
cert verification process. Verify() and Build() while running inside
IIS were consistently taking about 5 seconds to complete each --
Verify() was actually returning false, which caused Build() to run
from within VerifyCertChain(), which eventually succeeded. I ran the
same code in a simple test app I wrote and the delays didn't repro. I
then ran the same test app as NT AUTHORITY\System and the delays
returned -- but only the first time. Subsequent runs under the System
account were fine. From then on, IIS was fine too.
When I realized your custom build wasn't obviously addressing my cert
problem I returned to my own from GitHub's source. That one's running
fast now too, so I suppose Google also addressed the delay on Bad
Requests.
On Apr 3, 12:55 pm, Andrew Arnott <andrewarn...@gmail.com> wrote:
> I haven't seen a delay due to the X509Chain code (yet). But I'll double
> check that. My fix was for some dangling HTTP connections the library left
> open during Google Apps discovery that causes .NET to just hang while the
> connections timeout.
>
> You can download the fixed build here:http://cid-063d0c265f96e43d.skydrive.live.com/self.aspx/.Public/DotNe...