Google Groups

Re: [google-federated-login-api] OpenID validation became broken on my site

Andrey Pohilko Apr 22, 2012 11:58 PM
Posted in group: Google Federated Login API

I've sent you full logs example that I have.

понедельник, 23 апреля 2012 г., 3:33:26 UTC+3 пользователь Breno написал:
Unfortunately I cannot reproduce the issue from my computer yet. When I try check_authentication it succeeds.

I will continue looking into this.

On Saturday, April 21, 2012 1:04:41 PM UTC-7, Andrey Pohilko wrote:

I have made detailed tracing for communication with Google OpenID server. Here's scenario:
1. (my server) makes HEAD request to and gets response headers.
2. makes GET request to the same address, receives XRDS document with <URI></URI> inside it.
3. Loadosophia redirects user to Google (here I have a question if this must be 'id' or 'ud' URI?):
4. User confirms at Google page that he allows to authenticate him. 
5. Google redirects user back to Loadosophia with following data:
openid_ns =>
openid_mode => id_res
openid_op_endpoint =>
openid_response_nonce => 2012-04-21T19:46:45***********
openid_return_to =>
openid_assoc_handle => ***********
openid_signed => op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.namePerson_first,ext1.value.namePerson_first,ext1.type.contact_email,ext1.value.contact_email,ext1.type.pref_language,ext1.value.pref_language,ext1.type.contact_country_home,ext1.value.contact_country_home,ext1.type.namePerson_last,ext1.value.namePerson_last
openid_sig => ************=
openid_identity =>***************
openid_claimed_id =>******************
openid_ns_ext1 =>
openid_ext1_mode => fetch_response
openid_ext1_type_namePerson_first =>
openid_ext1_value_namePerson_first => User
openid_ext1_type_contact_email =>
openid_ext1_value_contact_email =>
openid_ext1_type_pref_language =>
openid_ext1_value_pref_language => ru
openid_ext1_type_contact_country_home =>
openid_ext1_value_contact_country_home => KG
openid_ext1_type_namePerson_last =>
openid_ext1_value_namePerson_last => Surname
6. Loadosophia tries to validate authentication, sending POST request to with all above fields and values, converted underscores in field names to dots and using openid.mode=check_authentication . Google responds "is_valid:false ns:"

I'm totally confused, why authentication is invalid... When I run the same code from different computer, everything works like a charm. I wonder if there is some IP/host dependency here... 

My service is down for 3 days because of this :(, I will really appreciate any help...

Thank you!

пятница, 20 апреля 2012 г., 1:46:49 UTC+3 пользователь breno написал:
The approach to nonce validation has been tightened some. Could it may
be that the server is mistakenly submitting the request twice?

On Thu, Apr 19, 2012 at 10:07,  <> wrote:
> Hi,
> I use Google OpenID users authentication on my website. I did no changes
> recently, but Google responds me on check_authentication request:
>> is_valid:false ns:
> I tried from my test host to perform the same operation using the same code
> - it works. Was I banned for some reson? How may I know the reason to
> prevent further issues?
> --
> You received this message because you are subscribed to the Google Groups
> "Google Federated Login API" group.
> To view this discussion on the web visit
> To post to this group, send email to
> To unsubscribe from this group, send email to
> For more options, visit this group at