Re: OpenID and Microsoft Live

[Martin Atkins]

(Copying this to the Google Group in case it's useful to others.)

naive_verify_failed_return means that the client was running in
stateless mode and the server failed to verify the provided signature.

In most cases a consumer shouldn't be running in stateless mode. A few
different things can cause it to do so:

* If you don't provide a cache object then it has nowhere to keep state
and so it'll use stateless mode.

* If the Consumer library can't connect to the OP for some reason then
it'll fail to create an association and so it'll fall back to stateless
mode. Of course, when it tries to verify the signature later it probably
still can't connect to the OP, so you get naive_verify_failed_return.

I think the second of these is more likely in this case. One possibility
is that your libwww-perl isn't able to make SSL requests because you
don't have Net::HTTPS installed, though I'd expect other providers to
also fail in this case.

You might get more information from the debug logs, which you can enable
using the "debug" flag on the constructor:

my $consumer = Net::OpenID::Consumer->new(
debug => 1,
...
);

By default the log messages go to STDERR, though you can make it do
something different if you pass a CODE ref instead of the literal 1.

Martin Broerse wrote:
> Hi Martin,
>
> I am checking out my implementation of Net::OpenID::Consumer on
> http://www.broerse.net/wordpress/2009/02/16/help-us-test-openid/ All
> OpenID's work except http://openid.live-int.com/
> <http://openid.live-int.com/username> The result is
> "naive_verify_failed_return". Do you think it is something I do wrong or
> is this a known issue. Setting minimum_version to 1 or 2 does not fix this.
> $cgi when the failure happens below.
>
> Thanks in advance.
>
> Martin Broerse
>
>
> $VAR1 = bless( {
> '.parameters' => [
> 'oso',
> 'oic.time',
> 'openid.ns',
> 'openid.claimed_id',
> 'openid.assoc_handle',
> 'openid.sig',
> 'openid.mode',
> 'openid.realm',
> 'openid.response_nonce',
> 'openid.identity',
> 'openid.op_endpoint',
> 'openid.signed',
> 'openid.return_to'
> ],
> 'openid.response_nonce' => [
>
> '2009-02-18T19:43:11Z472EC14E-FE2E-401C-85CF-37669BEB378F'
> ],
> 'openid.mode' => [
> 'id_res'
> ],
> 'openid.claimed_id' => [
>
> 'http://openid.live-int.com/martinbroerse'
> ],
> 'openid.assoc_handle' => [
>
> '32m30F3S!AsJHDxQMIp81o02KYKxSjBccq1zj4bCfI4ipFSZ4f50lB5KputAFYAHiTsTZUHw9uRFg$'
> ],
> 'oic.time' => [
> '1234986174-6c0d4e3dc7e9b2dfecac'
> ],
> 'openid.ns' => [
> 'http://specs.openid.net/auth/2.0'
> ],
> 'openid.op_endpoint' => [
>
> 'https://openid.live-int.com/OpenIDAuth.srf'
> ],
> '.fieldnames' => {},
> 'openid.realm' => [
> 'https://www.xsall.com'
> ],
> 'escape' => 1,
> 'oso' => [
> 'd2faf3cf5bdf4f9f6c7998c607253910'
> ],
> 'openid.signed' => [
>
> 'op_endpoint,identity,claimed_id,return_to,assoc_handle,response_nonce'
> ],
> '.charset' => 'ISO-8859-1',
> 'openid.sig' => [
>
> '383nSMVV3BqygKTD6xeHSgbtEBCRUgOLmTTtP2XmlpI='
> ],
> 'openid.identity' => [
>
> 'http://openid.live-int.com/martinbroerse'
> ],
> 'openid.return_to' => [
>
> 'https://www.xsall.com/test1/openid.html?oso=d2faf3cf5bdf4f9f6c7998c607253910&oic.time=1234986174-6c0d4e3dc7e9b2dfecac
> <https://www.xsall.com/test1/openid.html?oso=d2faf3cf5bdf4f9f6c7998c607253910&oic.time=1234986174-6c0d4e3dc7e9b2dfecac>'
> ]
> }, 'CGI' );

[Martin Atkins]

Martin Broerse wrote:
> Hi Martin,
>

> What can you tell from the log?
>
> [DEBUG Net::OpenID::Consumer] Cache MISS for
> http://openid.live-int.com/martinbroerse
> [DEBUG Net::OpenID::Consumer] Cache MISS for
> http://openid.live-int.com/OpenIDXRDS.srf?oidn=martinbroerse
> [DEBUG Net::OpenID::Consumer] Cache MISS for
> http://openid.live-int.com/martinbroerse
> [DEBUG Net::OpenID::Consumer] semantic info
> (http://openid.live-int.com/martinbroerse) = openid.delegate => ,
> openid.server => , foaf => , openid2.provider =>
> https://openid.live-int.com/OpenIDAuth.srf, atom => , foaf.maker => ,
> rss =>
> [DEBUG Net::OpenID::Consumer] Server is
> https://openid.live-int.com/OpenIDAuth.srf
> [DEBUG Net::OpenID::Consumer] verified_identity: assoc_handle:
> 3TcxBGOX7AiV0GdhJDbhQGiEEsgF7ExmVoPRhzKPniCQ9tEUe9NSjdCGcgD179F2DlhxhGzJtWKX0$
> [DEBUG Net::OpenID::Consumer] handle_assoc: dumb mode: no_cache
> [DEBUG Net::OpenID::Consumer] verified_identity: verifying using HTTP
> (dumb mode)
> [DEBUG Net::OpenID::Consumer] fail(naive_verify_failed_return) Provider
> says signature is invalid
>

It looks like you've not given Consumer a cache object where it can
store association state. However, it's interesting that the Live OP
endpoint is actually returning a failure on the signature verification,
so it's not a connection error as I first thought.

This suggests that either the Live server is generating an invalid
signature or the Consumer library is generating an invalid signature.
I'm not sure which it is.

It would be interesting to see whether this works in stateful mode, with
a cache. To do this you'll need to give Net::OpenID::Consumer a cache
object that it can use to store the state. Here's a simple example from
some test code I use here:

my $cache_dir = '/tmp/openid-consumer-test';
my $cache = Cache::File->new(
cache_root => $cache_dir,
);

my $consumer = Net::OpenID::Consumer->new(

args => $cgi,
consumer_secret => "...",
required_root => $base_url,
debug => 1,
cache => $cache,
);

Cache::File is a cache implementation that writes the cached data out to
disk in a given directory. For my test app I've hard-coded a directory,
but you can adjust to suit your environment.