OpenID problems with Yahoo! accounts - John C. Kirk — LiveJournal
Nov. 22nd, 2009
01:41 am - OpenID problems with Yahoo! accounts
As I described in my previous post, I now have a sample website up and running that accepts OpenID logins:
Unfortunately, it doesn't work properly with Yahoo! at the moment; any suggestions are welcome.
By the way, if you have a Yahoo! account, and you want to use it as an OpenID, there's an extra step that doesn't apply to other providers. You have to enable the account first, at this page:
Click the "Get Started" button in the top right, then sign in (if necessary), and it will generate an ID for you. You shouldn't need to use it, but that's what gets stored at RP (Relying Party) sites.
If you try to use your Yahoo! account to log into LiveJournal (you have to log out first!), you will see a warning like this:
You can still continue, but it looks a bit ominous. When I first set up my test site, and tested my Yahoo! account, I got a similar warning:
There's some more info about the warning on these websites:
OpenID, You and Yahoo!: "Why Yahoo! OpenID doesn't think you're good enough for your users"
Why Yahoo! says your OpenID site's identity is not confirmed
Let the rest discover your OpenID relying party
Basically, Yahoo! are working to v2.0 of the OpenID standard, which is a bit more rigorous than v1.1, so they want to know a bit more information about RPs. So, the solution is to create an XRDS document and advertise it on my website. Yahoo! will then consult this document before they ask people about passing their credentials to my site.
I could just do nothing; that's apparently the approach that LiveJournal have taken. However, I don't want to train people to ignore warning messages, because that could cause problems for them later. Also, if someone asks me "What does that warning mean?", the answer would then be "It means that I'm not smart enough to set up my website properly", and my pride makes me reluctant to accept that. Unfortunately, this is rather complicated.
Here's the XRDS document that I created:
<?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="1"> <Type>http://specs.openid.net/auth/2.0/return_to</Type> <URI>http://jck.golgotha.org.uk/WebRPApplication1/Login.aspx</URI> </Service> </XRD> </xrds:XRDS>
The samples at the websites I mentioned above are a bit different, so I've based this on Andrew Arnott's version, since he wrote DotNetOpenAuth (the library I'm using). I'm not quite sure about the URI: I've tried it with "http" and "https", and I've tried the login page (Login.aspx) and the home page (Default.aspx), but none of that seems to make any difference.
This file needs a content type of "application/xrds+xml". In IIS, you achieve this by going to Properties for the server, then clicking "MIME Types..." You can then add a new item to the list, specifying the extension and MIME type:
(I think you have to restart IIS after you do this.)
I used the Live HTTP Headers add-on for Firefox to check whether this was working. Following Andrew Arnott's advice, I initially saved this document as xrds.aspx, then added a new MIME type for ".aspx". However, that didn't work; the content type was "text/html". That makes sense, since the .NET framework recognises aspx files and treats them in a special way. In IIS 6, there's no way to override this for specific files; I'm not sure about IIS 7. (I later found this blog post which suggests that Arnott is rewriting URLs on the fly, so that's probably how he got around it.) I renamed the file to xrds.xrd, since that extension isn't being used for anything else, and verified that I get the correct content-type.
I stored this file in the application folder:
I also modified the web.config file to make sure that everyone can access this file without needing to log in:
<location path="xrds.xrd"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
I'm not sure whether that's necessary, because I think that this site allows access by default, but it's harmless to leave it there for now. Once I get this all working, I'll take that out and see whether anything breaks.
The next step is to advertise this file. In IIS, I selected Default.aspx, and went to Properties, then the "HTTP Headers" page. I added a new custom header to specify the X-XRDS-Location:
Now, when I try to log in using my Yahoo! account, I get an error:
This is actually worse than before, because there's no way for me to say "Continue anyway". However, I've checked my firewall logs, and I can see that the Yahoo! servers are connecting to my main application (just the folder name) then retrieving the xrds.xrd file, then I get a third log entry that says "A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake." There are no errors, so I don't know where it's going wrong. I really need to get some more detailed diagnostics, to find out which specific error has occurred, so once I've posted this I'll go to the Yahoo! Development Network and see whether they have any ideas.
Anyway, if you can see anything obvious that I've missed, please let me know.