7

I'm writing a Relying Party, and use the Google provider. Yadis leads me to https://www.google.com/accounts/o8/ud, I create an association, and redirect the user's browser to that URL (HTTP 307), and fill in the following query parameters:

  • openid.ns: http://specs.openid.net/auth/2.0
  • openid.mode: checkid_setup
  • openid.assoc_handle: value_received_from_association,
  • openid.return_to: http://my_host:and_port/?returned=1

AFAICT, I have filled out everything I'm supposed to provide, yet my user's browser gets a page from google which says "The page you requested is invalid". In what way?

Kara
  • 6,115
  • 16
  • 50
  • 57
Martin v. Löwis
  • 124,830
  • 17
  • 198
  • 235

2 Answers2

4

The error was literally triggered by not including the openid.claimed_id and openid.identity parameters, which must be set to "http://specs.openid.net/auth/2.0/identifier_select". With these set, I get another error, which can be resolved by also filling out openid.realm, with the same value as openid.return_to.

Even though I also implemented RP discovery, Google does not appear to use it.

Martin v. Löwis
  • 124,830
  • 17
  • 198
  • 235
  • Oh ya, don't know how I missed that. :) Actually, the OpenID spec allows for the absence of `openid.claimed_id` and `openid.identity`, but Google and most OPs don't actually support that behavior. – Andrew Arnott Aug 29 '09 at 20:32
1

Have you set up RP discovery for your site yet? That's something else you need to do, and Google might be enforcing it now.

http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • How could this possibly work? The only URL I give to google is the return_to URL, and I know for fact that Google is not trying to access it. – Martin v. Löwis Aug 28 '09 at 22:15