While attempting to authenticate against AOL: "Null consumer nonce signature. Nonce verification failed."
43 views
Skip to first unread message
desau
May 6, 2009, 5:15:10 PM5/6/09
to OpenID4Java
I suspect I'm not doing something correctly to setup a "nonce
signature?"
I've got Google and Yahoo authentication working .. now trying to get
AOL's provider working.
Setting my org.openid4java logging to DEBUG, in the callback from the
provider, I see the following (edited) log entries:
Note: I'm unsure if any of the strings in the log are meant to be
private, so I've cut/replaced (with some random keystrokes) all
strings that seemed they could be, including openid.sig,
openid.assoc_handle, my AOL screen name and my hostname.
14:07:11,381 WARN [http-8080-3] [RealmVerifier] RP discovery / realm
validation disabled;
14:07:11,382 INFO [http-8080-3] [ConsumerManager] Verifying
authentication response...
14:07:11,382 DEBUG [http-8080-3] [ParameterList] Created empty
parameter list.
14:07:11,383 DEBUG [http-8080-3] [AuthSuccess] Created positive auth
response:
openid.signed:identity,return_to
openid.sig:ksmcoisemsoifjpsifepdsfsd=
openid.identity:http://openid.aol.com/my_aol_screen_name
login:true
openid.mode:id_res
openid.assoc_handle:asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf
openid.return_to:http://my-host-name.org/lg/OpenIDLoginResponse?
login=true
14:07:11,383 INFO [http-8080-3] [ConsumerManager] Received positive
auth response.
14:07:11,383 DEBUG [http-8080-3] [ConsumerManager] Verifying return
URL; receiving:
http://my-host-name.org/lg/OpenIDLoginResponse?login=true&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2Fmy_aol_screen_name&openid.assoc_handle=asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf&openid.return_to=http%3A%2F%2Fmy-host-name.org%2Flg%2FOpenIDLoginResponse%3Flogin%3Dtrue&openid.signed=identity%2Creturn_to&openid.sig=ksmcoisemsoifjpsifepdsfsd%3D
message: http://my-host-name.org/lg/OpenIDLoginResponse?login=true
14:07:11,384 DEBUG [http-8080-3] [ConsumerManager] Verifying
discovered information for OpenID1 assertion about ClaimedID:
http://openid.aol.com/my_aol_screen_name
14:07:11,384 DEBUG [http-8080-3] [ConsumerManager] Extracting consumer
nonce...
14:07:11,384 ERROR [http-8080-3] [ConsumerManager] Null consumer nonce
signature.
14:07:11,384 ERROR [http-8080-3] [ConsumerManager] Nonce verification
failed.
signature?"
I've got Google and Yahoo authentication working .. now trying to get
AOL's provider working.
Setting my org.openid4java logging to DEBUG, in the callback from the
provider, I see the following (edited) log entries:
Note: I'm unsure if any of the strings in the log are meant to be
private, so I've cut/replaced (with some random keystrokes) all
strings that seemed they could be, including openid.sig,
openid.assoc_handle, my AOL screen name and my hostname.
14:07:11,381 WARN [http-8080-3] [RealmVerifier] RP discovery / realm
validation disabled;
14:07:11,382 INFO [http-8080-3] [ConsumerManager] Verifying
authentication response...
14:07:11,382 DEBUG [http-8080-3] [ParameterList] Created empty
parameter list.
14:07:11,383 DEBUG [http-8080-3] [AuthSuccess] Created positive auth
response:
openid.signed:identity,return_to
openid.sig:ksmcoisemsoifjpsifepdsfsd=
openid.identity:http://openid.aol.com/my_aol_screen_name
login:true
openid.mode:id_res
openid.assoc_handle:asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf
openid.return_to:http://my-host-name.org/lg/OpenIDLoginResponse?
login=true
14:07:11,383 INFO [http-8080-3] [ConsumerManager] Received positive
auth response.
14:07:11,383 DEBUG [http-8080-3] [ConsumerManager] Verifying return
URL; receiving:
http://my-host-name.org/lg/OpenIDLoginResponse?login=true&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2Fmy_aol_screen_name&openid.assoc_handle=asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf&openid.return_to=http%3A%2F%2Fmy-host-name.org%2Flg%2FOpenIDLoginResponse%3Flogin%3Dtrue&openid.signed=identity%2Creturn_to&openid.sig=ksmcoisemsoifjpsifepdsfsd%3D
message: http://my-host-name.org/lg/OpenIDLoginResponse?login=true
14:07:11,384 DEBUG [http-8080-3] [ConsumerManager] Verifying
discovered information for OpenID1 assertion about ClaimedID:
http://openid.aol.com/my_aol_screen_name
14:07:11,384 DEBUG [http-8080-3] [ConsumerManager] Extracting consumer
nonce...
14:07:11,384 ERROR [http-8080-3] [ConsumerManager] Null consumer nonce
signature.
14:07:11,384 ERROR [http-8080-3] [ConsumerManager] Nonce verification
failed.
Johnny Bufu
May 8, 2009, 1:38:13 PM5/8/09
to openi...@googlegroups.com
On Wed, May 06, 2009 at 02:15:10PM -0700, desau wrote:
> I suspect I'm not doing something correctly to setup a "nonce
> signature?"
> I suspect I'm not doing something correctly to setup a "nonce
> signature?"
Nothing should be done explicitly for this - the library takes care of
it transparently.
How does a AuthRequest that you send to AOL look like?
Johnny
desau
May 8, 2009, 2:02:57 PM5/8/09
to OpenID4Java
Here's what the log shows just prior to transferring to AOL:
10:55:35,671 DEBUG [http-8080-2] [OpenID4JavaUtils] Resource /
openid4java.properties not found.
10:55:35,671 DEBUG [http-8080-2] [HtmlResolver]
discovery.html.parser:org.openid4java.discovery.html.CyberNekoDOMHtmlParser
10:55:35,676 DEBUG [http-8080-2] [YadisResolver]
discovery.yadis.html.parser:org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser
10:55:35,678 DEBUG [http-8080-2] [YadisResolver]
discovery.xrds.parser:org.openid4java.discovery.xrds.XrdsParserImpl
10:55:35,680 DEBUG [http-8080-2] [Discovery]
discovery.xri.resolver:org.openid4java.discovery.xri.XriDotNetProxyResolver
10:55:35,733 DEBUG [http-8080-2] [XriDotNetProxyResolver]
discovery.xrds.parser:org.openid4java.discovery.xrds.XrdsParserImpl
10:55:35,747 WARN [http-8080-2] [RealmVerifier] RP discovery / realm
validation disabled;
10:55:36,036 WARN [http-8080-2] [RealmVerifier] RP discovery / realm
validation disabled;
10:55:36,037 DEBUG [http-8080-2] [Discovery] Creating URL identifier
for: http://openid.aol.com/my_aol_screenname
10:55:36,038 DEBUG [http-8080-2] [UrlIdentifier] Normalized:
http://openid.aol.com/my_aol_screenname to: http://openid.aol.com/my_aol_screenname
10:55:36,039 INFO [http-8080-2] [Discovery] Starting discovery on URL
identifier: http://openid.aol.com/my_aol_screenname
10:55:36,043 DEBUG [http-8080-2] [YadisResolver] Performing HTTP HEAD
on: http://openid.aol.com/my_aol_screenname ...
10:55:36,221 DEBUG [http-8080-2] [YadisResolver] Performing HTTP GET
on: http://openid.aol.com/my_aol_screenname ...
10:55:36,262 DEBUG [http-8080-2] [HttpCache] Read 487 bytes.
10:55:36,262 DEBUG [http-8080-2] [YadisResult] Setting X-XRDS-Location
for yadis result: http://api.screenname.aol.com/yadis.xml
10:55:36,326 DEBUG [http-8080-2] [HttpCache] Read 356 bytes.
10:55:36,326 DEBUG [http-8080-2] [YadisResult] Setting X-XRDS-Location
for yadis result: http://api.screenname.aol.com/yadis.xml
10:55:36,327 DEBUG [http-8080-2] [XrdsParserImpl] Parsing XRDS input
for service types: [http://specs.openid.net/auth/2.0/signon,
http://openid.net/signon/1.0, http://openid.net/signon/1.1,
http://specs.openid.net/auth/2.0/server]
10:55:36,327 DEBUG [http-8080-2] [XrdsParserImpl] Parsing XRDS input:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service xmlns="xri://$xrd*($v*2.0)">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>https://api.screenname.aol.com/auth/login</URI>
</Service>
</XRD>
</xrds:XRDS>
10:55:36,683 DEBUG [http-8080-2] [XrdsParserImpl] Found 1 services for
the requested types.
10:55:36,683 INFO [http-8080-2] [YadisResolver] Yadis discovered 0
endpoints from: http://openid.aol.com/my_aol_screenname
10:55:36,683 INFO [http-8080-2] [Discovery] No OpenID service
endpoints discovered through Yadis; attempting HTML discovery...
10:55:36,686 INFO [http-8080-2] [HttpCache] Returning cached GET
response for http://openid.aol.com/my_aol_screenname
10:55:36,686 DEBUG [http-8080-2] [UrlIdentifier] Normalized:
http://openid.aol.com/my_aol_screenname to: http://openid.aol.com/my_aol_screenname
10:55:36,686 DEBUG [http-8080-2] [CyberNekoDOMHtmlParser] Parsing HTML
data:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/
TR/html4/strict.dtd"><html><head><link rel="openid.server"
href="https://api.screenname.aol.com/auth/openidServer"/><meta http-
equiv="Content-Type" content="text/html; charset=UTF-8"><title>AOL
OpenId</title><meta http-equiv="refresh" content="0;url=http://
profiles.aim.com/my_aol_screenname"></head><body>If not redirected
automatically, please click <a href="http://profiles.aim.com/
my_aol_screenname">here</a> to continue</body></html>
10:55:36,792 DEBUG [http-8080-2] [CyberNekoDOMHtmlParser] Found
OpenID1 endpoint: https://api.screenname.aol.com/auth/openidServer
10:55:36,793 DEBUG [http-8080-2] [CyberNekoDOMHtmlParser] HTML
discovery result:
ClaimedID:http://openid.aol.com/my_aol_screenname
OpenID1-endpoint:https://api.screenname.aol.com/auth/openidServer
10:55:36,793 INFO [http-8080-2] [HtmlResolver] HTML discovery
completed on: http://openid.aol.com/my_aol_screenname
10:55:36,793 DEBUG [http-8080-2] [HtmlResolver] OpenID1-signon HTML
discovery endpoint: OpenID1
OP-endpoint:https://api.screenname.aol.com/auth/openidServer
ClaimedID:http://openid.aol.com/my_aol_screenname
Delegate:null
10:55:36,793 INFO [http-8080-2] [Discovery] Discovered 1 OpenID
endpoints.
10:55:36,793 INFO [http-8080-2] [ConsumerManager] Trying to associate
with https://api.screenname.aol.com/auth/openidServer attempts left: 4
10:55:36,809 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:36,810 DEBUG [http-8080-2] [AssociationRequest] Creating
association request, type: :HMAC-SHA1:OpenID1DH session: null
10:55:36,810 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: :HMAC-SHA1:OpenID1
10:55:36,811 DEBUG [http-8080-2] [AssociationRequest] Created
association request:
openid.mode:associate
openid.session_type:
openid.assoc_type:HMAC-SHA1
10:55:36,821 DEBUG [http-8080-2] [DiffieHellmanSession] Created DH
session: DH-SHA1:HMAC-SHA1:OpenID1 base: 2 modulus:
155172898181473697471232257763714894654357498946842404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443
10:55:36,823 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:36,824 DEBUG [http-8080-2] [AssociationRequest] Creating
association request, type: DH-SHA1:HMAC-SHA1:OpenID1DH session: DH-
SHA1:HMAC-SHA1:OpenID1 base: 2 modulus:
155172898181473697471232257763714894654357498946842404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [AssociationRequest] Created
association request:
openid.mode:associate
openid.session_type:DH-SHA1
openid.assoc_type:HMAC-SHA1
openid.dh_consumer_public:WXdjeSj3zdEjs3IUc4+usXroGee6NPTf3GORFhsjYAc/
P4dLjdEjs83sDgzh3zdhRFJxIwvLdLVWrxHqivFgwOGF+uzuCzI8rdOjl16jMRh995/
ZJMPcD+OdFhqLo+Si78fPss6UDa8lftgcEa09u8Za+DbOBUbTVPl2YhTy4ZdEgE=
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [ConsumerManager] Trying association
type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:36,833 DEBUG [http-8080-2] [ConsumerManager] Performing HTTP
POST on https://api.screenname.aol.com/auth/openidServer
10:55:37,500 WARN [http-8080-2] [HttpMethodBase] Going to buffer
response body of large or unknown size. Using getResponseBodyAsStream
instead is recommended.
10:55:37,501 DEBUG [http-8080-2] [ParameterList] Creating parameter
list from key-value form:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,501 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:37,501 DEBUG [http-8080-2] [ParameterList] Copying parameter
list:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,501 DEBUG [http-8080-2] [ConsumerManager] Retrived response:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,503 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:37,503 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,503 DEBUG [http-8080-2] [AssociationResponse] Created
association response from message parameters:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,504 DEBUG [http-8080-2] [AssociationResponse] Retrieving MAC
key from association response...
10:55:37,504 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,508 DEBUG [http-8080-2] [DiffieHellmanSession] Decrypted MAC
key Base64: f1y3FL6uzST+/CPnqIF+HQQ+E4s=
10:55:37,508 DEBUG [http-8080-2] [AssociationResponse] Decrypted MAC
key (base64): f1y3FL6uzST+/CPnqIF+HQQ+E4s=
10:55:37,508 DEBUG [http-8080-2] [Association] Creating association,
type: HMAC-SHA1 handle:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D expires: Sat
May 09 10:55:36 PDT 2009
10:55:37,508 DEBUG [http-8080-2] [AssociationResponse] Created
association for handle:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
10:55:37,508 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,508 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,509 DEBUG [http-8080-2] [InMemoryConsumerAssociationStore]
Adding association to the in-memory store:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D with OP:
https://api.screenname.aol.com/auth/openidServer
10:55:37,509 INFO [http-8080-2] [ConsumerManager] Associated with
https://api.screenname.aol.com/auth/openidServer handle:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
10:55:37,509 INFO [http-8080-2] [ConsumerManager] Creating
authentication request for OP-endpoint: https://api.screenname.aol.com/auth/openidServer
claimedID: http://openid.aol.com/my_aol_screenname OP-specific ID:
http://openid.aol.com/my_aol_screenname
10:55:37,509 DEBUG [http-8080-2] [IncrementalNonceGenerator] Generated
nonce: 2009-05-08T17:55:37Z0
10:55:37,509 DEBUG [http-8080-2] [ConsumerManager] Creating private
association for opUrl https://api.screenname.aol.com/auth/openidServer
10:55:37,509 DEBUG [http-8080-2] [Association] Generated SHA256 MAC
key: javax.crypto.spec.SecretKeySpec@fa77cdc9
10:55:37,509 DEBUG [http-8080-2] [Association] Creating association,
type: HMAC-SHA256 handle: expires: Fri May 08 11:00:37 PDT 2009
10:55:37,509 DEBUG [http-8080-2] [InMemoryConsumerAssociationStore]
Adding association to the in-memory store: with OP:
https://api.screenname.aol.com/auth/openidServer
10:55:37,510 DEBUG [http-8080-2] [Association] Computing signature for
input data:
http://my-host-name.org/lg/OpenIDLogin?openid.rpnonce=2009-05-08T17%3A55%3A37Z0
10:55:37,512 DEBUG [http-8080-2] [Association] Calculated signature:
JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k=
10:55:37,512 INFO [http-8080-2] [ConsumerManager] Inserted consumer
nonce: 2009-05-08T17:55:37Z0
10:55:37,512 DEBUG [http-8080-2] [ConsumerManager] return_to:http://my-
host-name.org/lg/OpenIDLogin?
openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k
%3D
10:55:37,513 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:37,513 DEBUG [http-8080-2] [RealmVerifier] Verifying realm:
http://my-host-name.org/lg/OpenIDLogin on return URL:
http://my-host-name.org/lg/OpenIDLogin?openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k%3D
10:55:37,514 INFO [http-8080-2] [RealmVerifier] Return URL:
http://my-host-name.org/lg/OpenIDLogin?openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k%3D
matches realm: http://my-host-name.org/lg/OpenIDLogin
10:55:37,514 DEBUG [http-8080-2] [AuthRequest] Created auth request:
openid.identity:http://openid.aol.com/my_aol_screenname
openid.return_to:http://my-host-name.org/lg/OpenIDLogin?
openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k
%3D
openid.trust_root:http://my-host-name.org/lg/OpenIDLogin
openid.assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
openid.mode:checkid_setup
10:55:35,671 DEBUG [http-8080-2] [OpenID4JavaUtils] Resource /
openid4java.properties not found.
10:55:35,671 DEBUG [http-8080-2] [HtmlResolver]
discovery.html.parser:org.openid4java.discovery.html.CyberNekoDOMHtmlParser
10:55:35,676 DEBUG [http-8080-2] [YadisResolver]
discovery.yadis.html.parser:org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser
10:55:35,678 DEBUG [http-8080-2] [YadisResolver]
discovery.xrds.parser:org.openid4java.discovery.xrds.XrdsParserImpl
10:55:35,680 DEBUG [http-8080-2] [Discovery]
discovery.xri.resolver:org.openid4java.discovery.xri.XriDotNetProxyResolver
10:55:35,733 DEBUG [http-8080-2] [XriDotNetProxyResolver]
discovery.xrds.parser:org.openid4java.discovery.xrds.XrdsParserImpl
10:55:35,747 WARN [http-8080-2] [RealmVerifier] RP discovery / realm
validation disabled;
10:55:36,036 WARN [http-8080-2] [RealmVerifier] RP discovery / realm
validation disabled;
10:55:36,037 DEBUG [http-8080-2] [Discovery] Creating URL identifier
for: http://openid.aol.com/my_aol_screenname
10:55:36,038 DEBUG [http-8080-2] [UrlIdentifier] Normalized:
http://openid.aol.com/my_aol_screenname to: http://openid.aol.com/my_aol_screenname
10:55:36,039 INFO [http-8080-2] [Discovery] Starting discovery on URL
identifier: http://openid.aol.com/my_aol_screenname
10:55:36,043 DEBUG [http-8080-2] [YadisResolver] Performing HTTP HEAD
on: http://openid.aol.com/my_aol_screenname ...
10:55:36,221 DEBUG [http-8080-2] [YadisResolver] Performing HTTP GET
on: http://openid.aol.com/my_aol_screenname ...
10:55:36,262 DEBUG [http-8080-2] [HttpCache] Read 487 bytes.
10:55:36,262 DEBUG [http-8080-2] [YadisResult] Setting X-XRDS-Location
for yadis result: http://api.screenname.aol.com/yadis.xml
10:55:36,326 DEBUG [http-8080-2] [HttpCache] Read 356 bytes.
10:55:36,326 DEBUG [http-8080-2] [YadisResult] Setting X-XRDS-Location
for yadis result: http://api.screenname.aol.com/yadis.xml
10:55:36,327 DEBUG [http-8080-2] [XrdsParserImpl] Parsing XRDS input
for service types: [http://specs.openid.net/auth/2.0/signon,
http://openid.net/signon/1.0, http://openid.net/signon/1.1,
http://specs.openid.net/auth/2.0/server]
10:55:36,327 DEBUG [http-8080-2] [XrdsParserImpl] Parsing XRDS input:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service xmlns="xri://$xrd*($v*2.0)">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>https://api.screenname.aol.com/auth/login</URI>
</Service>
</XRD>
</xrds:XRDS>
10:55:36,683 DEBUG [http-8080-2] [XrdsParserImpl] Found 1 services for
the requested types.
10:55:36,683 INFO [http-8080-2] [YadisResolver] Yadis discovered 0
endpoints from: http://openid.aol.com/my_aol_screenname
10:55:36,683 INFO [http-8080-2] [Discovery] No OpenID service
endpoints discovered through Yadis; attempting HTML discovery...
10:55:36,686 INFO [http-8080-2] [HttpCache] Returning cached GET
response for http://openid.aol.com/my_aol_screenname
10:55:36,686 DEBUG [http-8080-2] [UrlIdentifier] Normalized:
http://openid.aol.com/my_aol_screenname to: http://openid.aol.com/my_aol_screenname
10:55:36,686 DEBUG [http-8080-2] [CyberNekoDOMHtmlParser] Parsing HTML
data:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/
TR/html4/strict.dtd"><html><head><link rel="openid.server"
href="https://api.screenname.aol.com/auth/openidServer"/><meta http-
equiv="Content-Type" content="text/html; charset=UTF-8"><title>AOL
OpenId</title><meta http-equiv="refresh" content="0;url=http://
profiles.aim.com/my_aol_screenname"></head><body>If not redirected
automatically, please click <a href="http://profiles.aim.com/
my_aol_screenname">here</a> to continue</body></html>
10:55:36,792 DEBUG [http-8080-2] [CyberNekoDOMHtmlParser] Found
OpenID1 endpoint: https://api.screenname.aol.com/auth/openidServer
10:55:36,793 DEBUG [http-8080-2] [CyberNekoDOMHtmlParser] HTML
discovery result:
ClaimedID:http://openid.aol.com/my_aol_screenname
OpenID1-endpoint:https://api.screenname.aol.com/auth/openidServer
10:55:36,793 INFO [http-8080-2] [HtmlResolver] HTML discovery
completed on: http://openid.aol.com/my_aol_screenname
10:55:36,793 DEBUG [http-8080-2] [HtmlResolver] OpenID1-signon HTML
discovery endpoint: OpenID1
OP-endpoint:https://api.screenname.aol.com/auth/openidServer
ClaimedID:http://openid.aol.com/my_aol_screenname
Delegate:null
10:55:36,793 INFO [http-8080-2] [Discovery] Discovered 1 OpenID
endpoints.
10:55:36,793 INFO [http-8080-2] [ConsumerManager] Trying to associate
with https://api.screenname.aol.com/auth/openidServer attempts left: 4
10:55:36,809 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:36,810 DEBUG [http-8080-2] [AssociationRequest] Creating
association request, type: :HMAC-SHA1:OpenID1DH session: null
10:55:36,810 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: :HMAC-SHA1:OpenID1
10:55:36,811 DEBUG [http-8080-2] [AssociationRequest] Created
association request:
openid.mode:associate
openid.session_type:
openid.assoc_type:HMAC-SHA1
10:55:36,821 DEBUG [http-8080-2] [DiffieHellmanSession] Created DH
session: DH-SHA1:HMAC-SHA1:OpenID1 base: 2 modulus:
155172898181473697471232257763714894654357498946842404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443
10:55:36,823 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:36,824 DEBUG [http-8080-2] [AssociationRequest] Creating
association request, type: DH-SHA1:HMAC-SHA1:OpenID1DH session: DH-
SHA1:HMAC-SHA1:OpenID1 base: 2 modulus:
155172898181473697471232257763714894654357498946842404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [AssociationRequest] Created
association request:
openid.mode:associate
openid.session_type:DH-SHA1
openid.assoc_type:HMAC-SHA1
openid.dh_consumer_public:WXdjeSj3zdEjs3IUc4+usXroGee6NPTf3GORFhsjYAc/
P4dLjdEjs83sDgzh3zdhRFJxIwvLdLVWrxHqivFgwOGF+uzuCzI8rdOjl16jMRh995/
ZJMPcD+OdFhqLo+Si78fPss6UDa8lftgcEa09u8Za+DbOBUbTVPl2YhTy4ZdEgE=
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [ConsumerManager] Trying association
type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:36,826 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:36,833 DEBUG [http-8080-2] [ConsumerManager] Performing HTTP
POST on https://api.screenname.aol.com/auth/openidServer
10:55:37,500 WARN [http-8080-2] [HttpMethodBase] Going to buffer
response body of large or unknown size. Using getResponseBodyAsStream
instead is recommended.
10:55:37,501 DEBUG [http-8080-2] [ParameterList] Creating parameter
list from key-value form:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,501 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:37,501 DEBUG [http-8080-2] [ParameterList] Copying parameter
list:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,501 DEBUG [http-8080-2] [ConsumerManager] Retrived response:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,503 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:37,503 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,503 DEBUG [http-8080-2] [AssociationResponse] Created
association response from message parameters:
assoc_type:HMAC-SHA1
assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
expires_in:86399
session_type:DH-SHA1
dh_server_public:AIvgIUkdikDj494fFs6ujhFGeeC5JQPHhJp+sL/
9qXyT0hZWj1ajbtmAgZuG25clNXc9+Ww1Y3jgjrivjhg6HfHrt544dGFhtgfPM60KDIxX0BgnKE0HbpOkvQ7pEM3NsIzrZ9MpYt15hoi/
fqp6q1RlQAVuVxtRPxHMuN/Wl8p7egEtP
enc_mac_key:0CgR4yKpCwQsAvRXPOCUf1ZnXMI=
10:55:37,504 DEBUG [http-8080-2] [AssociationResponse] Retrieving MAC
key from association response...
10:55:37,504 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,508 DEBUG [http-8080-2] [DiffieHellmanSession] Decrypted MAC
key Base64: f1y3FL6uzST+/CPnqIF+HQQ+E4s=
10:55:37,508 DEBUG [http-8080-2] [AssociationResponse] Decrypted MAC
key (base64): f1y3FL6uzST+/CPnqIF+HQQ+E4s=
10:55:37,508 DEBUG [http-8080-2] [Association] Creating association,
type: HMAC-SHA1 handle:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D expires: Sat
May 09 10:55:36 PDT 2009
10:55:37,508 DEBUG [http-8080-2] [AssociationResponse] Created
association for handle:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
10:55:37,508 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,508 DEBUG [http-8080-2] [AssociationSessionType]
Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID1
10:55:37,509 DEBUG [http-8080-2] [InMemoryConsumerAssociationStore]
Adding association to the in-memory store:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D with OP:
https://api.screenname.aol.com/auth/openidServer
10:55:37,509 INFO [http-8080-2] [ConsumerManager] Associated with
https://api.screenname.aol.com/auth/openidServer handle:
diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
10:55:37,509 INFO [http-8080-2] [ConsumerManager] Creating
authentication request for OP-endpoint: https://api.screenname.aol.com/auth/openidServer
claimedID: http://openid.aol.com/my_aol_screenname OP-specific ID:
http://openid.aol.com/my_aol_screenname
10:55:37,509 DEBUG [http-8080-2] [IncrementalNonceGenerator] Generated
nonce: 2009-05-08T17:55:37Z0
10:55:37,509 DEBUG [http-8080-2] [ConsumerManager] Creating private
association for opUrl https://api.screenname.aol.com/auth/openidServer
10:55:37,509 DEBUG [http-8080-2] [Association] Generated SHA256 MAC
key: javax.crypto.spec.SecretKeySpec@fa77cdc9
10:55:37,509 DEBUG [http-8080-2] [Association] Creating association,
type: HMAC-SHA256 handle: expires: Fri May 08 11:00:37 PDT 2009
10:55:37,509 DEBUG [http-8080-2] [InMemoryConsumerAssociationStore]
Adding association to the in-memory store: with OP:
https://api.screenname.aol.com/auth/openidServer
10:55:37,510 DEBUG [http-8080-2] [Association] Computing signature for
input data:
http://my-host-name.org/lg/OpenIDLogin?openid.rpnonce=2009-05-08T17%3A55%3A37Z0
10:55:37,512 DEBUG [http-8080-2] [Association] Calculated signature:
JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k=
10:55:37,512 INFO [http-8080-2] [ConsumerManager] Inserted consumer
nonce: 2009-05-08T17:55:37Z0
10:55:37,512 DEBUG [http-8080-2] [ConsumerManager] return_to:http://my-
host-name.org/lg/OpenIDLogin?
openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k
%3D
10:55:37,513 DEBUG [http-8080-2] [ParameterList] Created empty
parameter list.
10:55:37,513 DEBUG [http-8080-2] [RealmVerifier] Verifying realm:
http://my-host-name.org/lg/OpenIDLogin on return URL:
http://my-host-name.org/lg/OpenIDLogin?openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k%3D
10:55:37,514 INFO [http-8080-2] [RealmVerifier] Return URL:
http://my-host-name.org/lg/OpenIDLogin?openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k%3D
matches realm: http://my-host-name.org/lg/OpenIDLogin
10:55:37,514 DEBUG [http-8080-2] [AuthRequest] Created auth request:
openid.identity:http://openid.aol.com/my_aol_screenname
openid.return_to:http://my-host-name.org/lg/OpenIDLogin?
openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k
%3D
openid.trust_root:http://my-host-name.org/lg/OpenIDLogin
openid.assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
%2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
openid.mode:checkid_setup
Johnny Bufu
May 8, 2009, 2:52:13 PM5/8/09
to openi...@googlegroups.com
I see two problematic things on AOL's side:
On Fri, May 08, 2009 at 11:02:57AM -0700, desau wrote:
> 10:55:36,327 DEBUG [http-8080-2] [XrdsParserImpl] Parsing XRDS input:
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS
> xmlns:xrds="xri://$xrds"
> xmlns:openid="http://openid.net/xmlns/1.0"
> xmlns="xri://$xrd*($v*2.0)">
> <XRD>
>
> <Service xmlns="xri://$xrd*($v*2.0)">
> <Type>http://specs.openid.net/auth/2.0/return_to</Type>
> <URI>https://api.screenname.aol.com/auth/login</URI>
> </Service>
>
> </XRD>
> </xrds:XRDS>
This is not a server/OP XRDS document: there is no service for the
OpenID authentication types ("http://specs.openid.net/auth/2.0/signon"
or "http://openid.net/signon/1.1").
Not critical, since discovery falls back from Yadis to HTML, but very
likely this is not what AOL intended.
> 10:55:36,683 INFO [http-8080-2] [YadisResolver] Yadis discovered 0
> endpoints from: http://openid.aol.com/my_aol_screenname
> 10:55:36,683 INFO [http-8080-2] [Discovery] No OpenID service
> endpoints discovered through Yadis; attempting HTML discovery...
AOL is however not processing the return_to URL properly; your
AuthRequest contains an RP nonce and signature:
> 10:55:37,514 DEBUG [http-8080-2] [AuthRequest] Created auth request:
> openid.identity:http://openid.aol.com/my_aol_screenname
> openid.return_to:http://my-host-name.org/lg/OpenIDLogin?
> openid.rpnonce=2009-05-08T17%3A55%3A37Z0&openid.rpsig=JHLRBNgQtW2ehiuVtbTRku9yC9zRsAnlJmHheCj2h5k
> %3D
> openid.trust_root:http://my-host-name.org/lg/OpenIDLogin
> openid.assoc_handle:diAyLjAjd983AjdsDjujgjhg6Hfdiuyjb7dkis2SZjM2aVZ0eklxQT0%3D-
> j5HRXRB1VbPyg48jGKE1Q%2B8eo%2B38N
> %2FjwBMnxwQdjfu5GjxB67jgGiyxD57gXbnbed4dCgfrst6%2F4M%3D
> openid.mode:checkid_setup
... but the AuthResponse comes back without them, so the
RP/ConsumerManager fails, as expected:
> 14:07:11,383 DEBUG [http-8080-3] [ConsumerManager] Verifying return
> URL; receiving:
> http://my-host-name.org/lg/OpenIDLoginResponse?login=true&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2Fmy_aol_screen_na
> +me&openid.assoc_handle=asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf&openid.return_to=http%3A%2F%2Fmy-host-name.org%2Flg%2FOpenIDLoginResponse%3Fl
> +ogin%3Dtrue&openid.signed=identity%2Creturn_to&openid.sig=ksmcoisemsoifjpsifepdsfsd%3D
> message: http://my-host-name.org/lg/OpenIDLoginResponse?login=true
Johnny
desau
May 8, 2009, 3:55:53 PM5/8/09
to OpenID4Java
Hmmm -- I see.
Well .. glad to know it's not in my code. I'll be happy to try to
escalate this issue through AOL, but I don't have a lot of faith that
they'll have any fix soon.
Anything else I can do on my side to make this work? How are others
using AOL as an OpenID provider?
Thanks again!
-d
> >http://my-host-name.org/lg/OpenIDLoginResponse?login=true&openid.mode...
> > +me&openid.assoc_handle=asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf&openid.return _to=http%3A%2F%2Fmy-host-name.org%2Flg%2FOpenIDLoginResponse%3Fl
> > +ogin%3Dtrue&openid.signed=identity%2Creturn_to&openid.sig=ksmcoisemsoifjps ifepdsfsd%3D
> > message:http://my-host-name.org/lg/OpenIDLoginResponse?login=true
>
> Johnny
Well .. glad to know it's not in my code. I'll be happy to try to
escalate this issue through AOL, but I don't have a lot of faith that
they'll have any fix soon.
Anything else I can do on my side to make this work? How are others
using AOL as an OpenID provider?
Thanks again!
-d
> > +me&openid.assoc_handle=asdfkjlksldkfjsdlkfjsldkjsakdjfslkdjf&openid.return _to=http%3A%2F%2Fmy-host-name.org%2Flg%2FOpenIDLoginResponse%3Fl
> > +ogin%3Dtrue&openid.signed=identity%2Creturn_to&openid.sig=ksmcoisemsoifjps ifepdsfsd%3D
> > message:http://my-host-name.org/lg/OpenIDLoginResponse?login=true
>
> Johnny
Johnny Bufu
May 8, 2009, 5:05:40 PM5/8/09
to openi...@googlegroups.com
On Fri, May 08, 2009 at 12:55:53PM -0700, desau wrote:
> Well .. glad to know it's not in my code. I'll be happy to try to
> escalate this issue through AOL, but I don't have a lot of faith that
> they'll have any fix soon.
> Well .. glad to know it's not in my code. I'll be happy to try to
> escalate this issue through AOL, but I don't have a lot of faith that
> they'll have any fix soon.
You'd be surprised sometimes...
> Anything else I can do on my side to make this work? How are others
> using AOL as an OpenID provider?
Not much beside making sure you're using the correct starting points
(i.e. identity URLs).
Johnny
desau
May 9, 2009, 1:25:34 PM5/9/09
to OpenID4Java
Just a couple more data points --
Vox and Blogger has the same problem.
-d
Vox and Blogger has the same problem.
-d
desau
May 9, 2009, 1:31:29 PM5/9/09
to OpenID4Java
... and wordpress
Johnny Bufu
May 10, 2009, 5:04:49 AM5/10/09
to openi...@googlegroups.com
I've confirmed that the AOL OP works with the DemoRP included in the
sample projects.
sample projects.
There's also an inconsistency in the logs you have posted; you're saying
that your AuthRequest contains this return_to:
http://my-host-name.org/lg/OpenIDLogin? ...
and the AuthSuccess comes back at:
http://my-host-name.org/lg/OpenIDLoginResponse? ...
Something doesn't seem right here. Are you doing any kind of processing
to the messages before passing them to the library?
Johnny
desau
May 11, 2009, 12:57:39 AM5/11/09
to OpenID4Java
Sorry for the confusion about the "OpenIDLogin" vs
"OpenIDLoginResponse" -- I renamed the servlet between those two log
entries -- so there's no "OpenIDLoginResponse" anymore -- just
"OpenIDLogin".
I'm not aware that I'm doing any message processing before passing to
the library -- most of the code that I'm using came straight out of
the openid4java docs / sample code.
I'll paste my two methods that I'm using (one for sending the request
off to the auth provider, and the other for the callback).
public void sendToOpenIDAuth(String authProvider, HttpServletRequest
httpReq,
HttpServletResponse httpResp) throws IOException,
ServletException {
try {
String loginURL = httpReq.getRequestURL().toString();
int pos = loginURL.indexOf("LoginServlet");
loginURL = loginURL.substring(0, pos);
String returnToUrl = loginURL + "OpenIDLogin";
ConsumerManager manager = new ConsumerManager();
httpReq.getSession().setAttribute
("open_id_consumer_manager", manager);
manager.getRealmVerifier().setEnforceRpId(false);
List discoveries = manager.discover(authProvider);
DiscoveryInformation discovered = manager.associate
(discoveries);
httpReq.getSession().setAttribute("openid-disc",
discovered);
AuthRequest authReq = manager.authenticate(discovered,
returnToUrl);
authReq.setReturnTo(returnToUrl + "?login=true");
authReq.setRealm(returnToUrl);
if (! discovered.isVersion2()) {
httpResp.sendRedirect(authReq.getDestinationUrl
(true));
return;
} else {
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/jsp/
formredirection.jsp");
httpReq.setAttribute("parameterMap",
authReq.getParameterMap());
httpReq.setAttribute("destinationUrl",
authReq.getDestinationUrl(false));
dispatcher.forward(httpReq, httpResp);
}
}
catch (OpenIDException e) {
// TODO - present error to the user
}
}
And here's the callback servlet:
public class OpenIDLogin extends BaseServlet
{
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest httpReq, HttpServletResponse
resp) throws IOException, ServletException {
if (httpReq.getParameter("login") != null &&
httpReq.getParameter("login").equals("true")) {
try {
ParameterList response =
new ParameterList(httpReq.getParameterMap());
// retrieve the previously stored discovery
information
DiscoveryInformation discovered =
(DiscoveryInformation)
httpReq.getSession().getAttribute("openid-
disc");
StringBuffer receivingURL = httpReq.getRequestURL();
String queryString = httpReq.getQueryString();
if (queryString != null && queryString.length() > 0)
receivingURL.append("?").append
(httpReq.getQueryString());
ConsumerManager manager = (ConsumerManager)
httpReq.getSession().getAttribute("open_id_consumer_manager");
if (manager == null) {
resp.sendRedirect("LoginServlet");
return;
}
VerificationResult verification = manager.verify(
receivingURL.toString(),
response, discovered);
// examine the verification result and extract the
verified identifier
Identifier verified = verification.getVerifiedId();
if (verified != null) {
// successful auth .. see if we know who this is.
OpenIDLoader oil = new OpenIDLoader
(this.getMainDBSettings());
OpenIDIdentifier oid = oil.readByIdentifier
(verified.getIdentifier());
if (oid != null) {
// we know who this is .. log them in.
UserLoader ul = new UserLoader
(this.getMainDBSettings());
User us = ul.getUser(oid.getUserCode());
LoginServlet.loginUser(httpReq, resp, us,
getMainDBSettings(), getForumsDBSettings());
LoginServlet.redirectToDesired
(httpReq.getSession(), resp);
return;
} else {
// we don't know who this is .. need to link
or create new account
HttpSession session = httpReq.getSession();
Set<String> openIDs = (Set<String>)
session.getAttribute("known_open_ids");
if (openIDs == null) {
openIDs = new HashSet<String>();
session.setAttribute("known_open_ids",
openIDs);
}
openIDs.add(verified.getIdentifier());
this.showJSP(httpReq, resp);
return;
}
} else {
SessionProfile sp = getSessionProfile
(httpReq.getSession());
String dn = (String)httpReq.getSession
().getAttribute("latest_open_id_provider");
sp.addErrorMessage("Open ID verification failed
with " + dn);
resp.sendRedirect("LoginServlet");
return;
}
}
catch (OpenIDException e) {
// present error to the user
}
} else {
resp.setContentType("application/xrds+xml");
String xrd = null;
String loginURL = httpReq.getRequestURL().toString();
xrd = "<xrds:XRDS xmlns:xrds=\"xri://$xrds\" xmlns:openid=
\"http://openid.net/xmlns/1.0\" xmlns=\"xri://$xrd*($v*2.0)\">\n" +
"<XRD>\n"+
"<Service xmlns=\"xri://$xrd*($v*2.0)\">\n"+
"<Type>http://specs.openid.net/auth/2.0/return_to</Type>
\n"+
"<URI>" + loginURL + "</URI>\n"+
"</Service>\n"+
"</XRD>\n"+
"</xrds:XRDS>";
try {
resp.getWriter().write(xrd);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
"OpenIDLoginResponse" -- I renamed the servlet between those two log
entries -- so there's no "OpenIDLoginResponse" anymore -- just
"OpenIDLogin".
I'm not aware that I'm doing any message processing before passing to
the library -- most of the code that I'm using came straight out of
the openid4java docs / sample code.
I'll paste my two methods that I'm using (one for sending the request
off to the auth provider, and the other for the callback).
public void sendToOpenIDAuth(String authProvider, HttpServletRequest
httpReq,
HttpServletResponse httpResp) throws IOException,
ServletException {
try {
String loginURL = httpReq.getRequestURL().toString();
int pos = loginURL.indexOf("LoginServlet");
loginURL = loginURL.substring(0, pos);
String returnToUrl = loginURL + "OpenIDLogin";
ConsumerManager manager = new ConsumerManager();
httpReq.getSession().setAttribute
("open_id_consumer_manager", manager);
manager.getRealmVerifier().setEnforceRpId(false);
List discoveries = manager.discover(authProvider);
DiscoveryInformation discovered = manager.associate
(discoveries);
httpReq.getSession().setAttribute("openid-disc",
discovered);
AuthRequest authReq = manager.authenticate(discovered,
returnToUrl);
authReq.setReturnTo(returnToUrl + "?login=true");
authReq.setRealm(returnToUrl);
if (! discovered.isVersion2()) {
httpResp.sendRedirect(authReq.getDestinationUrl
(true));
return;
} else {
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/jsp/
formredirection.jsp");
httpReq.setAttribute("parameterMap",
authReq.getParameterMap());
httpReq.setAttribute("destinationUrl",
authReq.getDestinationUrl(false));
dispatcher.forward(httpReq, httpResp);
}
}
catch (OpenIDException e) {
// TODO - present error to the user
}
}
And here's the callback servlet:
public class OpenIDLogin extends BaseServlet
{
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest httpReq, HttpServletResponse
resp) throws IOException, ServletException {
if (httpReq.getParameter("login") != null &&
httpReq.getParameter("login").equals("true")) {
try {
ParameterList response =
new ParameterList(httpReq.getParameterMap());
// retrieve the previously stored discovery
information
DiscoveryInformation discovered =
(DiscoveryInformation)
httpReq.getSession().getAttribute("openid-
disc");
StringBuffer receivingURL = httpReq.getRequestURL();
String queryString = httpReq.getQueryString();
if (queryString != null && queryString.length() > 0)
receivingURL.append("?").append
(httpReq.getQueryString());
ConsumerManager manager = (ConsumerManager)
httpReq.getSession().getAttribute("open_id_consumer_manager");
if (manager == null) {
resp.sendRedirect("LoginServlet");
return;
}
VerificationResult verification = manager.verify(
receivingURL.toString(),
response, discovered);
// examine the verification result and extract the
verified identifier
Identifier verified = verification.getVerifiedId();
if (verified != null) {
// successful auth .. see if we know who this is.
OpenIDLoader oil = new OpenIDLoader
(this.getMainDBSettings());
OpenIDIdentifier oid = oil.readByIdentifier
(verified.getIdentifier());
if (oid != null) {
// we know who this is .. log them in.
UserLoader ul = new UserLoader
(this.getMainDBSettings());
User us = ul.getUser(oid.getUserCode());
LoginServlet.loginUser(httpReq, resp, us,
getMainDBSettings(), getForumsDBSettings());
LoginServlet.redirectToDesired
(httpReq.getSession(), resp);
return;
} else {
// we don't know who this is .. need to link
or create new account
HttpSession session = httpReq.getSession();
Set<String> openIDs = (Set<String>)
session.getAttribute("known_open_ids");
if (openIDs == null) {
openIDs = new HashSet<String>();
session.setAttribute("known_open_ids",
openIDs);
}
openIDs.add(verified.getIdentifier());
this.showJSP(httpReq, resp);
return;
}
} else {
SessionProfile sp = getSessionProfile
(httpReq.getSession());
String dn = (String)httpReq.getSession
().getAttribute("latest_open_id_provider");
sp.addErrorMessage("Open ID verification failed
with " + dn);
resp.sendRedirect("LoginServlet");
return;
}
}
catch (OpenIDException e) {
// present error to the user
}
} else {
resp.setContentType("application/xrds+xml");
String xrd = null;
String loginURL = httpReq.getRequestURL().toString();
xrd = "<xrds:XRDS xmlns:xrds=\"xri://$xrds\" xmlns:openid=
\"http://openid.net/xmlns/1.0\" xmlns=\"xri://$xrd*($v*2.0)\">\n" +
"<XRD>\n"+
"<Service xmlns=\"xri://$xrd*($v*2.0)\">\n"+
"<Type>http://specs.openid.net/auth/2.0/return_to</Type>
\n"+
"<URI>" + loginURL + "</URI>\n"+
"</Service>\n"+
"</XRD>\n"+
"</xrds:XRDS>";
try {
resp.getWriter().write(xrd);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
Johnny Bufu
May 11, 2009, 2:05:02 PM5/11/09
to openi...@googlegroups.com
Try the demorp from the openid4java package in your servlet container /
application server and see how that goes.
application server and see how that goes.
Johnny
desau
May 16, 2009, 1:56:54 AM5/16/09
to OpenID4Java
Ah sweet success.
Yes - the demorp example works fine with AOL and the others.
With that, I traced through that code and mine, comparing the
differences.
I found that when I execute:
authReq.setReturnTo(returnToUrl + "?login=true");
It would remove the openid.rpnonce and others from the return_to URL.
Easy fix, and now it's working.
Thanks Johnny!
-d
Yes - the demorp example works fine with AOL and the others.
With that, I traced through that code and mine, comparing the
differences.
I found that when I execute:
authReq.setReturnTo(returnToUrl + "?login=true");
It would remove the openid.rpnonce and others from the return_to URL.
Easy fix, and now it's working.
Thanks Johnny!
-d
Reply all
Reply to author
Forward
0 new messages