[OpenID] check_authentication

[James Tindall]

Thanks for your suggestions Dan! Your intuition was correct, I realised 
with help from Shane Weeder that some of my code catering for openid 1 
responses without a response_nonce was replacing the response_nonce in 
openID 2 responses with the RP generated nonce.

=james.tindall

Dan Ragle wrote:
> Just some guesses:
>
> Are you sure you're sending everything back; especially assoc_handle,
> sig, response_nonce, signed, op_endpoint (i.e., the things you didn't
> send in your original request but received from the OP)?
>
> Are you sending the data as a POST request (required for direct
> requests), and not a GET?
>
> Is there perhaps some type of character encoding (or lack thereof)
> going on behind the scenes that may be altering the values of the
> parameters that are actually being sent to the OP? I.E., is the
> content-type being set to application/x-www-form-urlencoded and
> the data actually properly URL encoded? I like to use wireshark
> to ensure I know exactly what the data looks like pre and post my
> script getting it.
>
> Are you checking for true/false (lower case)?
>
> Hope this is helpful...
>
> Dan
>
>   
>> I'm trying to test how the RP library I'm working on handles stateless 
>> mode - all works fine up to the point where I request that the OP verify 
>> the sig in the response. Whatever OP I try they all respond that the sig 
>> is not valid. It seems it must be some bug in my code but I really can't 
>> figure out what the problem could be?
>>
>> For testing I'm forcing stateless session mode, so there's no 
>> association negotiated and the only params sent in the redirect url are 
>> openid.ns, openid.mode, openid.realm, openid.return_to, openid.identity 
>> and openid.claimed_id (also for testing purposes I'm preventing any 
>> extensions being added). The response to the authetication request is 
>> positive and passes all verification tests right up to the point where I 
>> request the OP to verify the sig, the response for which always contains 
>> is_valid=FALSE. I have checked and checked and double checked that - as 
>> the specs dictate - the check_authentication request post data only 
>> contains the exact same query params as received from the OP in the 
>> positive assertion except with the mode changed to 'check_authentication'.
>>
>> As the response of is_valid=false is so uninformative and as far as I 
>> can tell I have followed the specs this has me kind of stumped.
>>
>> I know this is tricky without source code or debug data but does anyone 
>> have any idea as to what could be the problem - or what I should try in 
>> order to find out??
>>
>> many thanks,
>>
>> =james.tindall
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>>     
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>