cannot login on stackoverflow or dotnetopenid sites

I can confirm the same behavior on StackOverflow and my websites using dotNetOpenAuth library.

I'll start looking at this today. Sign, have you had any luck with a solution?

@sign, thanks for the quick response.

I did some research and was able to determine the error I was receiving with dotnetopenauth interacting with the drupal openid provider was due to the passed return_to url containing a querystring. The drupal openid provider was then appending this querystring parameter (dnoa.userSuppliedIdentifier) twice in the response. This caused it to fail validation by dotnetopenauth after successfully authenticating on the drupal end.

By commenting out both sections of openid_provider.inc that included parse_url and appended the querystring elements I was able to get dotnetopenauth to work with drupal openid provider (lines 126-133 & 329-330). It isn't elegant, but it works. New to drupal and PHP, but it seems that the calls to array_merge() should be removing the duplicate querystring elements, but they seem to not be doing so.

Unfortunately, though my hack works with the most recent release of dotnetopenauth (3.4.4) and other openid consumers it doesn't fix stackoverflow's older version of dotnetopenauth. I'll look for something more elegant.

Here's an example of the querystring returned by the openid provider module:

Query "?dnoa.userSuppliedIdentifier=http%3A%2F%2Fexample.com&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=http%3A%2F%2Fexample.com%2Fopenid%2Fprovider&openid.identity=http%3A%2F%2Fexample.com%2Fuser%2F14%2Fidentity&openid.claimed_id=http%3A%2F%2Fexample.com%2Fuser%2F14%2Fidentity&openid.return_to=http%3A%2F%2Flocalhost%3A61208%2Faccount%2Fauthenticate%3Fdnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fexample.com&openid.response_nonce=2010-07-09T20%3A39%3A19ZTQRV&openid.assoc_handle=2010-07-09T19%3A55%3A58ZDLDP&openid.sreg.nickname=Username&openid.sreg.email=username%40example.com&dnoa.userSuppliedIdentifier=http%3A%2F%2Fexample.com&openid.signed=op_endpoint%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cidentity"

Could you provide a patch?

I marked #1002134: Cannot login on stackoverflow.net as a duplicate of this bug.

To repeat myself:

I wonder if this is the same problem as the one I'm having in #1158356: can't login to ikiwiki.info (perl's Net-OpenID-Consumer?), most notably that direct verification (that do not require storage on the client side) is broken...

But since you have been able to fix this without fixing that problem, maybe that's not the issue...

I rolled out a patch in #1158356: can't login to ikiwiki.info (perl's Net-OpenID-Consumer?), can you test it?

Sub.

I confirm this is still failing after the patch, so that's not the fix.

This is the error I am getting:

Unable to log in with your OpenID provider:

The openid.return_to parameter (http://webapps.stackexchange.com/users/authenticate/?s=SECRET_THING_HERE&dnoa.userSuppliedIdentifier=https://id.koumbit.net/anarcat) does not match the actual URL (http://webapps.stackexchange.com/users/authenticate/?s=f81ab7c9-4eaa-4e8c-a8c9-ca89f4b600ef&dnoa.userSuppliedIdentifier=https://id.koumbit.net/anarcat&openid.ns=http://specs.openid.net/auth/2.0&openid.mode=id_res&openid.op_endpoint=https://id.koumbit.net/openid/provider&openid.identity=https://id.koumbit.net/anarcat&openid.claimed_id=https://id.koumbit.net/anarcat&openid.return_to=http://webapps.stackexchange.com/users/authenticate/?s=SECRET_THING_HERE&dnoa.userSuppliedIdentifier=https%253A%252F%252Fid.koumbit.net%252Fanarcat&openid.response_nonce=2011-05-17T20:42:08NONCE&openid.assoc_handle=2011-05-17T20:42:08NONCE2&openid.sreg.nickname=anarcat&openid.sreg.email=anarcat@koumbit.org&s=SECRET_THING_HERE&dnoa.userSuppliedIdentifier=https://id.koumbit.net/anarcat&openid.signed=op_endpoint,return_to,response_nonce,assoc_handle,identity,claimed_id&openid.sig=base64sig=) the request was made with.

I got this to work.

First, you need the patch in #1158356: can't login to ikiwiki.info (perl's Net-OpenID-Consumer?), which gets us a bit further, without it I see:

The following required non-empty parameters were empty in the DotNetOpenAuth.OpenId.Messages.PositiveAssertionResponse message: openid.assoc_handle

So that part is fixed.

I was able to get it working by using the right redirection function!!! Patch attached... We'll run this in production for a while to see if it's good then we'll merge. Please test!

This breaks login on redmine, which uses the ruby-openid library, which is really Janrain's so we should consider this to be a bad fix.

So from what I see here, the response generated by the OP is exactly the same before and after the patch. The *only* difference is the way the response is generated. It looks like redmine doesn't like requests sent through _POST...

So let me get this straight: in order to fix interop with janrain's DotNet implementation, we break ruby's? something is clearly wrong here...

I'm running ruby-openid-2.1.2debian-1

I reported this issue against the ruby library, because I feel the problem is there:

https://github.com/openid/ruby-openid/issues/19

I also filed a bug against redmine itself:

http://www.redmine.org/issues/8399

Let's wait and see where this goes.

People responded on the redmine side with a hotfix, which I tried, and which fails still. Kind of frustrating...

Just bumping this issue to see if anyone may have found any solutions. I have tried applying the prescribed patches listed above in the thread, but to no effect. Like @anarcat, after the patch the error just changes to "The openid.return_to parameter [...]". I played around a bit in the code to see if I could get the openid.return_to parameter to some acceptable value for stackoverflow.com, but found that it didn't appear possible without trying to manually construct it, and it wasn't even clear to me where they got their open.return_to parameter, as if their OpenID installation is somehow broken or not reporting the right error.

If anyone has any solutions, then definitely it would be helpful if they posted it back to this thread.

have you tried the patch in #8? It worked for me, but broke logins on redmine sites. I came to think that the fault was with redmine, not with us so I may apply this patch in the end, if this custom redmine module fixes the openid authentication in the end, see:

http://projects.andriylesyuk.com/projects/openid-fix
http://www.redmine.org/issues/3780
http://www.redmine.org/issues/5966

I'm testing the D7 port so #8 patch didn't apply cleanly. It was just a one line change so I did it manually.

That patch does allow me to successfully login to stackoverflow, which I previously could not do.

That patch doesn't however, fix my inability to login to slashdot with openid. I receive this error on the redirect back to slashdot: "Unable to verify with http://specs.openid.net/auth/2.0/identifier_select."

Cool!

Could you provide an updated patch for D7? Once that's done, please RTBC this patch. :)

I would like to consider slashdot's problem to be seperate if you don't mind. As you saw, openid implementations vary wildly around, and since we have a fix for dotnetopenid, let's focus on that here. Please open a seperate issue for slashdot. Talking with the slashdot people to see what implementation they are using could also be useful.

Here's a new patch which applies to the D7 port of openid_provider. I've tested it and it does allow me to login to stackoverflow via my drupal site.

Give up on redmine and fix logins on stackoverflow, which seems to be following the standards, while redmine seems to need a 1.0 redirect while it is asking for a 2.0 protocol.

This fix is shipped in 6.x-1.0-beta5 and 7.x-1.0-beta2.