0

I am using the latest Janrain openid library example and the discovery process seems to work well with Yahoo, myopenid.com and others...

But I am stuck with Google endpoint (https semicolon //www.google.com/accounts/o8/id). Consumer.php just returns a 406 apache error, before I am redirected to google's page.

All my installation is available here : http://www.coplango.com/vendor/openid/examples/

  • Click on consumer to try the consumer example, but discovery.php fails the same way,proving it happens during discovery...
  • You can also check detect.php to check my installation - The HTTP fetching test fails with a 503 because it tries to reach an address which returns a 503. Rest is fine.

I supposed it was down to php-yadis specifying Accept: application/xrds+xml header but I checked the code and other types are also accepted such text/html and application/xhtml+xml.

Anyone came accross this?

Any clue?

Thank you very much!

Jim
  • 22,354
  • 6
  • 52
  • 80
ccazette
  • 43
  • 6

3 Answers3

2

Ok,

I have investigated further and it seems to be down to my provider, who returns a 406 error if any string containing the death word "/id" is passed as GET parameter. Took me days to figure out it was not down to openid !!

For info I am using PlanetHoster, if anyone else ever comes accross this. I have sent them a ticket request and waiting for their answer.

ccazette
  • 43
  • 6
  • This seem to have been disabled for security purposes. See this thread if you ever have the same problem : http://stackoverflow.com/questions/1504744/why-would-id-as-a-http-get-parameter-would-be-a-security-breach – ccazette Oct 02 '09 at 10:07
  • I got this error too using timthumb :( My provider is planethoster too.. I'll send them a ticket.. – numediaweb Jan 04 '12 at 16:37
  • the problem is that they don't accept http: as a var in the url. – numediaweb Jan 04 '12 at 16:45
1

running the consumer example at my machine, i get the following error:

Got no response code when fetching https://www.google.com/accounts/o8/id
CURL error (60): SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

this means curl fails verifying google's https server certificate. you can workaround this by either providing curl with CA certificates to verify google's certificate via CURLOPT_CAINFO/CURLOPT_CAPATH, or - easier - stop validating the cert via CURLOPT_SSL_VERIFYPEER. the following change in Auth/Yadis/ParanoidHTTPFetcher.php accomplishes latter for me:

--- ParanoidHTTPFetcher.php.orig        2009-04-22 02:31:20.000000000 +0800
+++ ParanoidHTTPFetcher.php     2009-09-30 22:35:24.093750000 +0800
@@ -127,6 +127,9 @@
                         Auth_OpenID_USER_AGENT.' '.$curl_user_agent);
             curl_setopt($c, CURLOPT_TIMEOUT, $off);
             curl_setopt($c, CURLOPT_URL, $url);
+
+            // don't verify server cert
+            curl_setopt($c, CURLOPT_SSL_VERIFYPEER, FALSE);

             curl_exec($c);

of course, your curl installation must also support ssl - check your phpinfo(). also, if CURLOPT_SSL_VERIFYPEER is disabled, CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE.

see also http://www.openrest.eu/docs/openid-not-completely-enabled-for-google.php (via the Related Why doesn't Google OpenID provider work with PHP-OpenId on my server?).

Community
  • 1
  • 1
ax.
  • 58,560
  • 8
  • 81
  • 72
  • Thank you very much for the answer and links ! I am still surprised that I get a 406 error and not a blank page as specified in the link. 406 is pretty specific : it's supposed to be down to response headers... Anyway, I will try this asap and let you know ! – ccazette Sep 30 '09 at 15:23
  • Humm.. Sadly it doesn't fix the problem.. I'll see if I can give more input. Thanks a lot for the answer, which may have fixed another problem though ! In the meantime, if anyone has a clue o what could be going on here, please drop a line ! – ccazette Sep 30 '09 at 23:21
  • while setting CURLOPT_SSL_VERIFYHOST is quick and easy workaround it may prevent curl from detecting a 'man in the middle' attack. – jayarjo Jul 10 '10 at 20:16
0

SOLUTION:

In the .htaccess file put

SecFilterEngine Off
numediaweb
  • 16,362
  • 12
  • 74
  • 110