1

Yahoo and AOL are submitting a request to /_ah/xrds on one of my App Engine apps. My understanding is that xrds is part of the response when Providing OpenIDs. I do not intend to Provide OpenIDs. I am assuming for now that someone is trying to exploit a loophole in the OpenID system for things like spam since I have received requests from Russia on this as well. This is an area I have very little experience in so I could be incorrect in my assumptions and questions feel free to correct me.

Why are Yahoo and AOL sending requests to /_ah/xrds?

How do I respond to that request in python/webapp2 to let them know I don't provide OpenID?

Mark Finch
  • 766
  • 6
  • 16

1 Answers1

0

If you could post when in the flow, this request is coming it will help debug the problem. However, the most likely explanation is that Yahoo! and AOL are trying to perform discover on the provided "realm" string to ensure that the return_to URL can be discovered from the site specified by the realm string. This is a security measure specified in sections 11.1 and 13 of the OpenID2 spec.

The normal flow for the AOL OpenID Provider is to verify the return_to URL (as per section 11.1) which performs discovery (XRDS from section 13) on the realm string. If the return_to URL can not be verified, then AOL will display a warning message to the user in the UI.

A related, more detailed description of the above flow and how to resolve can be found here: AOL openid website verification

Community
  • 1
  • 1
George Fletcher
  • 146
  • 3
  • Thats just it, it is coming in out of the blue. Both Yahoo and AOL sent the request last night about 12:30 pm server time (PST) to my homepage, then the next request they sent was to the /_ah/xrds a few milliseconds apart. They never hit /login where a login request might be generated. I am using the App Engine Users service for logins doesn't it provide the XRDS? I haven't tried with AOL as I don't have an AOL account but logins work from Google/Yahoo. – Mark Finch Jun 06 '12 at 16:35
  • I'm not sure if GAE supports XRDS discovery or not. I'd be happy to try and login if that will help debug things. I just need the URL to hit. Could it be that some other site used your realm string and so Yahoo and AOL came to your server as part of XRDS discovery? I don't know that'd I'd respond to the request at all for now. If you see DoS levels of requests from AOL please let me know. – George Fletcher Jun 06 '12 at 17:03
  • If you want to return an XRDS document that says the site is only a relying party, then you can use the XRDS sample referenced in the "AOL openid website verification" question linked to in my answer. – George Fletcher Jun 06 '12 at 17:14