Wednesday, April 09, 2008

Discovering OpenID Relying Parties

Yesterday Paul blogged about his experience logging into Wishlistr with his Yahoo OpenID.

But, when I tried to do so, Yahoo! showed me the following warning



What would Wishlistr need to do to 'confirm its identity' to Yahoo such that users wouldn't see this (likely enthusiasm killing) warning?


I commented on Paul's blog that it might have something to do with OpenID Relying Party discovery. Section 9.2.1 of the OpenID 2 spec defines how to verify the return_to URL in an OpenID authentication.

OpenID providers SHOULD verify that the return_to URL specified in the request is an OpenID relying party endpoint. To verify a return_to URL, obtain the relying party endpoints for the realm by performing discovery on the relying party.


I tried requesting the XRDS description from Wishlistr to no avail (curl --header "Accept: application/xrds+xml" -i -v http://www.wishlistr.com ). Section 13 of the OpenID 2 spec makes it a SHOULD for relying parties to support discovery. With the adoption of OpenID 2 just beginning to ramp up, relying parties supporting discovery may be a ways away.

Please note that this is just my guess as to what might be causing the warning. There are many other possible causes as well. Though I do believe that RP discovery is a key feature of OpenID 2.

5 comments:

Doug Orleans said...

Hi, I found your post by searching Google for "openid relying party discovery". I'm implementing OpenID on my site (steak.place.org) and I ran into the same Yahoo problem. They definitely do send a request to my realm, but they don't recognize the <meta http-equiv="X-XRDS-Location"> tag, because they never send a request to that URL. Also, when I just put the Yadis document directly at the realm URL, I get an error page saying "Sorry! Something is not quite right with the request we received from the website you are trying to use." but at least it includes a contact address: openid-feedback@yahoo-inc.com. I'll see if I can get any help from them.

[By the way, I tried to sign onto Blogger using my OpenID, both delegating to LiveJournal and using my LJ address directly, and both times I got a Blogger error page (and it lost my comment draft). Oh well...]

dougo said...

Just to follow up, I finally managed to make the Yahoo warning go away by providing an appropriate Yadis document at the return_to URL. I haven't had any luck making the realm (or endpoint URL in the Yadis document discovered at the realm) be anything other than exactly equal to the return_to URL, but I'm still fiddling around with it. But I thought I should report that they are in fact using some form of relying party discovery (if perhaps overly strict and/or non-conforming).

Robb said...

Interesting. I'm working on the same issue. Can you explain what you meant by making the realm url the same as the return_to url?

How did you technically make that work -- that is, how did you make one url do double-duty (providing the xrds document as well as perform the return_to operation)?

Thanks!

Prem Pillai said...

Hi Doug,
Following up on Robb's comments, we are all interested in knowing how you got rid of the Yahoo warning. I'm stuck at the same point. I have my XRDS being served piping hot at a URL and my realm URL contains the meta tag pointing to the XRDS. But, somehow, it's not working. I'm interested in your solution. Thanks a ton.

Robb said...

Hi,

I got it working after some trial and error. You can query my site -- look at the HTML source for the home page, and examine the headers.

If there's interest, I could do a little write-up of getting it working in Ruby on Rails.

http://greenfabric.com

- Robb