But, when I tried to do so, Yahoo! showed me the following warning
What would Wishlistr need to do to 'confirm its identity' to Yahoo such that users wouldn't see this (likely enthusiasm killing) warning?
I commented on Paul's blog that it might have something to do with OpenID Relying Party discovery. Section 9.2.1 of the OpenID 2 spec defines how to verify the return_to URL in an OpenID authentication.
OpenID providers SHOULD verify that the return_to URL specified in the request is an OpenID relying party endpoint. To verify a return_to URL, obtain the relying party endpoints for the realm by performing discovery on the relying party.
I tried requesting the XRDS description from Wishlistr to no avail (curl --header "Accept: application/xrds+xml" -i -v http://www.wishlistr.com ). Section 13 of the OpenID 2 spec makes it a SHOULD for relying parties to support discovery. With the adoption of OpenID 2 just beginning to ramp up, relying parties supporting discovery may be a ways away.
Please note that this is just my guess as to what might be causing the warning. There are many other possible causes as well. Though I do believe that RP discovery is a key feature of OpenID 2.
3 comments:
Hi, I found your post by searching Google for "openid relying party discovery". I'm implementing OpenID on my site (steak.place.org) and I ran into the same Yahoo problem. They definitely do send a request to my realm, but they don't recognize the <meta http-equiv="X-XRDS-Location"> tag, because they never send a request to that URL. Also, when I just put the Yadis document directly at the realm URL, I get an error page saying "Sorry! Something is not quite right with the request we received from the website you are trying to use." but at least it includes a contact address: openid-feedback@yahoo-inc.com. I'll see if I can get any help from them.
[By the way, I tried to sign onto Blogger using my OpenID, both delegating to LiveJournal and using my LJ address directly, and both times I got a Blogger error page (and it lost my comment draft). Oh well...]
Just to follow up, I finally managed to make the Yahoo warning go away by providing an appropriate Yadis document at the return_to URL. I haven't had any luck making the realm (or endpoint URL in the Yadis document discovered at the realm) be anything other than exactly equal to the return_to URL, but I'm still fiddling around with it. But I thought I should report that they are in fact using some form of relying party discovery (if perhaps overly strict and/or non-conforming).
Interesting. I'm working on the same issue. Can you explain what you meant by making the realm url the same as the return_to url?
How did you technically make that work -- that is, how did you make one url do double-duty (providing the xrds document as well as perform the return_to operation)?
Thanks!
Post a Comment