Nonce verification fails?
1,087 views
Skip to first unread message
The_Farwall
Jan 16, 2009, 2:03:42 PM1/16/09
to OpenID4Java
Hi All
I've successfully got a login process running with my webapp as an RP
authenticating users against Google and Yahoo as OPs. However, the
OpenID4Java logging always ends with the messages "- Nonce is too
old: ..." and "- Nonce verification failed". I'm just wondering if
this is significant, is it an error that will impede the process in
anyway. I'm curious because I've yet to get attribute exchange
working with either of the OPs and want to be sure that this (the
failing nonce verification) isn't something that could stop that from
working. Thanks,
Chris
I've successfully got a login process running with my webapp as an RP
authenticating users against Google and Yahoo as OPs. However, the
OpenID4Java logging always ends with the messages "- Nonce is too
old: ..." and "- Nonce verification failed". I'm just wondering if
this is significant, is it an error that will impede the process in
anyway. I'm curious because I've yet to get attribute exchange
working with either of the OPs and want to be sure that this (the
failing nonce verification) isn't something that could stop that from
working. Thanks,
Chris
Johnny Bufu
Jan 16, 2009, 2:20:56 PM1/16/09
to openi...@googlegroups.com
On Fri, Jan 16, 2009 at 11:03:42AM -0800, The_Farwall wrote:
> I've successfully got a login process running with my webapp as an RP
> authenticating users against Google and Yahoo as OPs. However, the
> OpenID4Java logging always ends with the messages "- Nonce is too
> old: ..." and "- Nonce verification failed". I'm just wondering if
> this is significant, is it an error that will impede the process in
> anyway.
> I've successfully got a login process running with my webapp as an RP
> authenticating users against Google and Yahoo as OPs. However, the
> OpenID4Java logging always ends with the messages "- Nonce is too
> old: ..." and "- Nonce verification failed". I'm just wondering if
> this is significant, is it an error that will impede the process in
> anyway.
Yes, nonce verification is required; if it fails, the whole
authentication will fail.
First thing to check is that the time on the machine where your RP runs
is correct / synchronized. If that is ok, then enabling debug logs will
show more about the cause of the failure.
> I'm curious because I've yet to get attribute exchange
> working with either of the OPs and want to be sure that this (the
> failing nonce verification) isn't something that could stop that from
> working. Thanks,
I see that Yahoo advertises SREG in their discovery information.
Google supports AX, and the only attribute provided seems to be the
email address:
http://code.google.com/apis/accounts/docs/OpenID.html#attribute
Johnny
The_Farwall
Jan 17, 2009, 9:38:49 AM1/17/09
to OpenID4Java
Thanks Johnny,
Correcting the server clock (it was actually 3 minutes ahead) solved
the nonce problem.
Correcting the server clock (it was actually 3 minutes ahead) solved
the nonce problem.
The_Farwall
Jan 17, 2009, 9:42:32 AM1/17/09
to OpenID4Java
By the way, when you say that Yahoo advertises SREG in their discovery
information, where would I look to see that kind of thing? I'm
actually sending the same request to Google and Yahoo, requesting SREG
and AttributeExchange info, whatever I can get basically, but getting
nothing back from either at the moment.
information, where would I look to see that kind of thing? I'm
actually sending the same request to Google and Yahoo, requesting SREG
and AttributeExchange info, whatever I can get basically, but getting
nothing back from either at the moment.
Xin Recala
Oct 24, 2015, 3:12:38 PM10/24/15
to OpenID4Java
I'm having the same problem. Johnny is right. The time on the machine later two minutes. Thanks Johnny.Help me a lot.
在 2009年1月17日星期六 UTC+8上午3:20:56,johnny.bufu写道:
在 2009年1月17日星期六 UTC+8上午3:20:56,johnny.bufu写道:
Xin Recala
Oct 24, 2015, 3:12:38 PM10/24/15
to OpenID4Java
I am having the same problem.johnny is right.The time on the machine later one minute.Thanks johnny.Help me a lot.
在 2009年1月17日星期六 UTC+8上午3:03:42,The_Farwall写道:
Reply all
Reply to author
Forward
0 new messages