[OpenID] check_authentication
James Tindall
james at atomless.com
Thu Jul 24 10:03:31 UTC 2008
I'm trying to test how the RP library I'm working on handles stateless
mode - all works fine up to the point where I request that the OP verify
the sig in the response. Whatever OP I try they all respond that the sig
is not valid. It seems it must be some bug in my code but I really can't
figure out what the problem could be?
For testing I'm forcing stateless session mode, so there's no
association negotiated and the only params sent in the redirect url are
openid.ns, openid.mode, openid.realm, openid.return_to, openid.identity
and openid.claimed_id (also for testing purposes I'm preventing any
extensions being added). The response to the authetication request is
positive and passes all verification tests right up to the point where I
request the OP to verify the sig, the response for which always contains
is_valid=FALSE. I have checked and checked and double checked that - as
the specs dictate - the check_authentication request post data only
contains the exact same query params as received from the OP in the
positive assertion except with the mode changed to 'check_authentication'.
As the response of is_valid=false is so uninformative and as far as I
can tell I have followed the specs this has me kind of stumped.
I know this is tricky without source code or debug data but does anyone
have any idea as to what could be the problem - or what I should try in
order to find out??
many thanks,
=james.tindall
More information about the general
mailing list