[OpenID] Are all implementations created the same?

[Guido Sohne]

On 4/8/07, Martin Foster <martin at ethereal-realms.org> wrote:
>    Since then I have enabled the server portion and run it through:
> http://www.openidenabled.com/resources/openid-test/diagnose-server/
>
>    In fact they cannot pass on an encrypted key without issues.   I've
> been going through the code, comparing it to known working elements such
> as Net::OpenID::Server.   My code is almost exactly identical to what
> Net::OpenID::Server is using and its still not getting the same mac_key
> as the consumer does once going down the line.
>
> I'd be interested in making this all-in-one module available (once I
> attribute all the sources).  Is there anyone that might be interested in
> giving the code a second pair of eyes?   See where I am going wrong?

Am not sure I would be thrilled to read Perl. Things to check for the
server side of things are

1) Does Diffie Hellman key exchange work properly? Both server and
client should arrive at the same shared secret. The client should be
telling the server to use the DH-SHA1 method, too. You say you passed
all the tests there, that means associate is working, but is it
working via exchange through DH, or plaintext?

2) When the server is responding to a check_id or check_immediate
request, you usually need to test the assoc handle given and see if it
belongs in your smart associations. If it does, you use that shared
secret, and if it does not, you create a dumb association instead, and
the consumer will go ahead and verify that with check_auth.

So it would seem you are either looking for the assoc handle presented
in your dumb associations (smart ones should only be created via
associate), or the associate is not working properly (unlikely, since
you pass the associate test).

What do you do with the assoc handle given, and are you sure it is the
same handle that you gave out earlier at associate time?

-- G.