[OpenID] Yahoo and localhost
James Walker
walkah at walkah.net
Wed Jan 30 12:28:41 PST 2008
On 30-Jan-08, at 3:21 PM, Danny Burkes wrote:
> Hi everyone-
>
> I'm in the process of developing a new product that will be an RP. We
> have RP functionality already working using ruby-openid 2.03, and we
> can successfully authenticate against both OpenID 1.0 and 2.0
> providers.
>
> Today Yahoo turned on their IdP functionality, so I thought I'd try
> it, and it wouldn't authenticate me when I run our app on my local
> development machine- I just get redirected to a page at Yahoo that
> says "Sorry! Something is not quite right with the request we received
> from the website you are trying to use".
>
> However, if I try to authenticate running our app on a publicly-
> available server (our staging server), it authenticates fine against
> the Yahoo IdP.
>
> The only difference I can see in the two authentication transactions
> is that, when running on my local development machine,
> openid.return_to is like "http://localhost:3000/...", whereas when
> running from the staging machine, it's like "http://
> our.staging.server/...".
>
> Does the Yahoo IdP refuse authentication requests that specify
> localhost in the return_to? If so, it seems like a big flub, as it
> locks out developers.
>
> Thanks for any enlightenment you can provide.
>
I ran into the exact same thing when doing some compatibility testing
for the Drupal RP module. Y!'s OP seems to reject any incomplete URL
(i.e. without a proper TLD). I didn't test it extensively, but
uploading to a staging server / publicly addressable machine fixes it.
The other thing to be aware is that Y!'s OP will complain if you
haven't implemented RP discovery - so users will get a strict warning
about safety.
Cheers,
--
James Walker :: http://walkah.net/ :: xmpp:walkah at walkah.net
More information about the general
mailing list