[OpenID] Random failures when validating signatures

[Richard Davies]

I've been working on a ColdFusion OpenID library (to implement a
relying party). When validating the signature returned by the OpenID
provider, sometimes it passes and sometimes it fails (about 50/50).
(I've tested it against a couple of different providers so I'm
confident that I'm actually receiving a valid signature.)

Since my library sometimes reports that the signature is invalid (even
though it isn't), I'm trying to figure out where the bug is in my
library. I'm thinking it might be a character encoding issue when
calculating the MAC key or the HMAC-SHA1 signature.

Anyway, I'm having a hard time finding exactly where my bug is because
I have to go through a series of calculations to come up with the
signature, and I don't know if I've messed up somewhere until I reach
the end of the process and compare it with the signature returned by
the provider.

Is there any sort of OpenID "debugger" anywhere? Ideally I'd like to
be able to feed specific provider responses to a working OpenID
algorithm that would show the correct values and calculations at
various stages during the process of validating that response. Then I
could compare those values of the one's my algorithm computes and
hopefully figure out where in the process my bug is.

Does anyone know of any tools that do that?