[OpenID] Are all implementations created the same?

[Guido Sohne]

On 4/9/07, Martin Foster <martin at ethereal-realms.org> wrote:
> reasons why I have been combining existing scripts and modules to create
> a singular Crypt::OpenID module other then writing it myself.

There are four values to look for; p. g, private key and public key -
print them out on both the server and the consumer.

The consumer passes its private key, and possibly a p and a g to the
server. The server uses that same p and g with the server private key
to generate a public key which it then passes to the client as well as
a shared secret it keeps to itself. The consumer uses the returned
information together with its own secret information to independently
reconstruct the shared secret.

So in your debug code, you need to be sure that the server has the
same public key as the consumer (the integers printed should be the
same), vice versa as well where the consumer has the server's public
key. The keys should match first of all. Then you should make sure
that the shared secret matches, once that is the case, all you need to
be sure is that you are using the correct bit representation (pad left
with zero until a multiple of 8 bits, I think) and you should be home
free.

> The consumer and server are both running Perl, both using the same
> module to do its generation of hashes and such.  The consumer also works
> on another implementation so, something in the server (I feel is wrong).

If DH is setup properly, the sequence the consumer will go through
will be associate, then checkid_setup (or checkid_immediate). If not,
it will fail when it receives the response and fallback to using
check_auth on the received signature.

It would be helpful if you knew exactly where it was failing on the
consumer side ...

-- G.