[OpenID] Interoperability problem with OpenID POST response between myopenid and Google

[Peter Williams]

A while ago, I tried a similar experiment (mostly to get a feeling for the maturity of openid, while having fun with per-user CTLs stored at RPs for managing https trust models).

I put a large cert (a long string in reality) in myopenid account profile. This worked reasonably at the UI, would persist, and indeed induced use of the POST binding when the value was asserted. The RP was Andrew's .NET library (using his site's demo RP), which correctly processed the POST and the large valued attribute. There were no signature exceptions reported.

________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of André Cruz [andre.cruz at co.sapo.pt]
Sent: Saturday, May 23, 2009 5:49 AM
To: general at openid.net
Subject: [OpenID] Interoperability problem with OpenID POST response between    myopenid and Google

Hello.

I've detected a problem regarding openid responses that are sent via
POST (when they exceed the 2047 byte limit on URLs).

For example, create a myopenid account and a persona with a very large
full name and nickname so as to force openid responses (those that
request these attributes) to go via POST.

myopenid -> blogger FAIL
myopenid -> plaxo FAIL
myopenid -> sourceforge FAIL

Claimid is even worse. It does not convert the response to a POST and
so the URL is cropped.

I then build a custom OP based on janrain python lib (I think myopenid
is based on this) and a custom SP based on openid4java. Although they
talked to one another correctly using POST responses my OP still
failed against blogger, plaxo and sourceforge and my SP didn't accept
myopenid POST responses throwing an invalid signature...

Who's got the correct implementation? :)

Best regards,
André Cruz


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general