[OpenID] Bug in OpenID RP implementations
Eric Norman
ejnorman at doit.wisc.edu
Thu Jan 1 21:18:24 UTC 2009
On Jan 1, 2009, at 2:45 PM, Andrew Arnott wrote:
> Eric,
>
> I believe it is exactly the problem that Peter is facing.
>
> Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote
> https to http (or if so it would be a bug), but it will go through all
> endpoints listed for a given OpenID and chooses from among that list.
> So if your OpenID has multiple service endpoints listed (through an
> XRDS file) can you check whether a non HTTPS OP Endpoint is among the
> list?
The address bar said http, but I might have looked
to quickly. It could have been protectnetwork that
did the demotion.
> I'd very much like to know the particular OpenID you were trying it
> with so I can examine the behavior if you'd care to share (perhaps off
> the list if you wish).
https://ejnorman.protectnetwork.org
This has worked at some OpenID sites in the past.
In any case, there's certainly a bug somewhere since
the error message I quoted is complaining about
something I never typed.
Eric Norman
More information about the general
mailing list