[OpenID] invalidate_handle question

[Jorge Niedbalski]

Hello List,

I am currently working on a OpenID consumer,using our own OpenID Provider.

For a short introduction we are using PHP 5, with GMP && bcmath
support using OpenID Enabled Version 2.1.3 libraries. Our consumer
instantiates a new OpenID_Consumer as usual , using a custom path for
FileStore session/save.

When we trust in a new association , the server redirects to the
consumer and we got the following Response :

Auth_OpenID_FailureResponse Object ( [status] => failure [endpoint] =>
[identity_url] => [message] => Server denied check_authentication
[contact] => [reference] => )

Looking for a backtrace we can see :

function : _processCheckAuthResponse
function : removeAssociation

Looking a little bit more in depth , we can see that if the response
contains the invalidate_handle tag , the response is invalid (
otherwise you have to use the Dumb Mode?).

$invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
                                              'invalidate_handle');

       if ($invalidate_handle !== null) {
           $this->store->removeAssociation($server_url,
                                           $invalidate_handle);
       }

Well in effect we look for information in the protocol itself and we
can see the following extra information (OpenID Authentication 1.1 ,
4.2.3) :

If the Identity Provider didn't accept/recognize the provided
assoc_handle for whatever reason, it'll choose its own to use, and
copy the one provided back into openid.invalidate_handle, to tell the
Consumer to stop using it. The Consumer SHOULD then send it along in a
check_authentication (check_authentication)  request to verify it
actually is no longer valid.

Finally our question is    What means "whatever reason" in the server
logic ? When is set the openid.invalidate_handle ?


Thanks you in advance, we apreacciate any information about this issue.

Jorge Niedbalski R.