OpenID implementation

I've been trying to add an OpenID implementation to our internal OpenID provider. As a point of reference, our implementation works with dozens of other packages. But I can't get it to work with YT. I've updated the JAR and the provider performs as expected with the following steps:

1) A new user is taken to the provider web site for validation.
2) Validation appears to occur and the browser attempts to navigate back to YT and receives an error that "<", "/", ">" characters are not permitted in the user id.

The user id in question is an email address so it has an "@" and some "." but no other non-alpha characters.

I've run a Fiddler on the stream and the query string being returned looks accurate to me. The following data is being returned:
openid.assoc_handle = big guid value
openid.claimed_id = http://www.ourprovider/?q=user/14/identity
openid.identity = http://www.ourprovider/?q=user/14/identity
openid.mode = id_res
openid.ns =
openid.ns.sreg =
openid.op_endpoint = http://www.ourprovider/?q=openid/provider
openid.response_nonce = big guid value
openid.return_to =
openid.sig = smallish guid value
openid.signed = op_endpoint,return_to,response_nonce,assoc_handle,identity,claimed_id,sreg.nickanme, = user's email address (userid)
openid.sreg.nickname = user's email address (userid)

Can anyone tell me what to check next? I would have expected YT to look at the value for the user id which is being returned correctly. Is it looking at a different value?
Comment actions Permalink
No love on this? I could sure use some guidance. This is the only issue holding up our deployment.
Comment actions Permalink
Can you, please, attach logs with this error trace?
Comment actions Permalink
here are the primary log and the errors log. i see a beans error, but I'm not sure how to interpret it.
youtrack.log (977KB)
errors.log (86KB)
Comment actions Permalink
Also, we use and such and not OpenID Simple Registation.
Comment actions Permalink
Thank you Pavel. I've added attribute exchange to the provider and now I'm getting a different error message from YT. I'm getting "Can't process openId return URL: MessageException: 0x100: Extension MUST be signed; field mode is NOT signed."

It doesn't seem like mode should need to be signed. YT is sending a mode of checkid_setup and our provider is sending back a mode of fetch_response. With a openid.signed value as follows: op_endpoint,return_to,response_nonce,assoc_handle,identity,claimed_id,sreg.nickname,,ns.sreg,ns.ext1

The attributes are not in the signed list. Should that be necessary, though? We only really need the user id to be  handled with openid.

Please sign in to leave a comment.