OpenID implementation

I've been trying to add an OpenID implementation to our internal OpenID provider. As a point of reference, our implementation works with dozens of other packages. But I can't get it to work with YT. I've updated the JAR and the provider performs as expected with the following steps:

1) A new user is taken to the provider web site for validation.
2) Validation appears to occur and the browser attempts to navigate back to YT and receives an error that "<", "/", ">" characters are not permitted in the user id.

The user id in question is an email address so it has an "@" and some "." but no other non-alpha characters.

I've run a Fiddler on the stream and the query string being returned looks accurate to me. The following data is being returned:
openid.assoc_handle = big guid value
openid.claimed_id = http://www.ourprovider/?q=user/14/identity
openid.identity = http://www.ourprovider/?q=user/14/identity
openid.mode = id_res
openid.ns = http://specs.openid.net/auto/2.0
openid.ns.sreg = http://openid.net/extensions/sreg/1.1
openid.op_endpoint = http://www.ourprovider/?q=openid/provider
openid.response_nonce = big guid value
openid.return_to = http://track.ourYTserver.com/openIdInternal
openid.sig = smallish guid value
openid.signed = op_endpoint,return_to,response_nonce,assoc_handle,identity,claimed_id,sreg.nickanme,sreg.email
openid.sreg.email = user's email address (userid)
openid.sreg.nickname = user's email address (userid)

Can anyone tell me what to check next? I would have expected YT to look at the sreg.email value for the user id which is being returned correctly. Is it looking at a different value?
5 comments
Comment actions Permalink
No love on this? I could sure use some guidance. This is the only issue holding up our deployment.
0
Comment actions Permalink
Can you, please, attach logs with this error trace?
0
Comment actions Permalink
here are the primary log and the errors log. i see a beans error, but I'm not sure how to interpret it.
youtrack.log (977KB)
errors.log (86KB)
0
Comment actions Permalink
Also, we use http://schema.openid.net/contact/email and such and not OpenID Simple Registation.
0
Comment actions Permalink
Thank you Pavel. I've added attribute exchange to the provider and now I'm getting a different error message from YT. I'm getting "Can't process openId return URL: MessageException: 0x100: Extension http://openid.net/srv/ax/1.0 MUST be signed; field mode is NOT signed."

It doesn't seem like mode should need to be signed. YT is sending a mode of checkid_setup and our provider is sending back a mode of fetch_response. With a openid.signed value as follows: op_endpoint,return_to,response_nonce,assoc_handle,identity,claimed_id,sreg.nickname,sreg.email,ns.sreg,ns.ext1

The attributes are not in the signed list. Should that be necessary, though? We only really need the user id to be  handled with openid.
0

Please sign in to leave a comment.