OpenID delegation stopped working

Asked by Rouben on 2009-09-28

Hello!

I've set up an OpenID delegation page, http://id.rouben.net/rouben for myself, which I've pointed at the Launchpad OpenID service. I've since used it successfully up until last week to log on to a number of sites, including SourceForge, Identi.ca and others. All of the sudden, sometime last week that stopped working. When I attempt to authenticate with http://id.rouben.net/rouben, I get the following error from Launchpad:

A site identifying as https://identi.ca/ has asked us for confirmation that http://id.rouben.net/rouben is your identity URL. However, that is not a valid Launchpad OpenID identity URL, such as https://launchpad.net/~USER

However, when I try my Launchpad ID page directly, that is https://launchpad.net/~rouben, it works OK. Did Launchpad stop supporting OpenID delegation, or is this some sort of regression bug?

I've tried many different variations of the delegation code on my page, but with no success. Any ideas, or perhaps an official documentation page would be much appreciated.

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
James Henstridge
Solved:
2009-09-29
Last query:
2009-09-29
Last reply:
2009-09-29

This question was reopened

James Henstridge (jamesh) said : #1

Try removing the <meta http-equiv="X-XRDS-Location"> element from the page. We made some changes to the XRDS discovery code to make it easier to cache, but it also makes those XRDS documents inappropriate for use with a delegated identity URL.

Rouben (rouben) said : #2

Hi James,

Thanks for the tip! Curiously enough, when I try the code below, the delegation page doesn't work.

 <link rel="openid.server"
  href="https://login.launchpad.net/+openid" />
 <link rel="openid.delegate"
  href="https://launchpad.net/~rouben" />
 <link rel="openid2.provider"
  href="https://login.launchpad.net/+openid" />
 <link rel="openid2.local_id"
  href="https://launchpad.net/~rouben" />

However, when I try to use my Launchpad ID instead of the ~username, it does work. Just FYI, as this may be a bug. If it's not, in my opinion, using the ~username syntax should still be an option, as it's a lot easier to implement than figuring out one's user ID.

Rouben (rouben) said : #3

Thanks James Henstridge, that solved my question.

Rouben (rouben) said : #4

Spoke too soon! The delegation page doesn't work on all the sites I visit. It works with identi.ca, zooomr.com, however, it still doesn't work with SourceForge.net and any Drupal sites I frequent that use the OpenID auth plugin. In the past I've experienced the same kinds of issues, and those were resolved by adding the XRDS tag.

I'm speculating here, but I have a feeling like XRDS is related to OpenID 2.0, and its removal seems to break it in a delegation context. Thanks again for your help!

Best James Henstridge (jamesh) said : #5

You will need to use the login.launchpad.net ID rather than your Launchpad home page, since that is how the OpenID server identifies you (not all people using the identity server have a Launchpad home page).

If you look at the OpenID discovery information on your home page, you can see that it actually delegates to this URL as well. The OpenID specification does not support "chained delegations" (since they could cause redirection loops), so you can't just specify your Launchpad home page there.

Looking at your delegation page now, I've got two suggestions:

 1. You've got the wrong key names for openid2. It should be openid2.provider and openid2.local_id rather than openid2.server and openid2.delegate.
 2. You've got a bunch of commented out <link> and <meta> tags. Most OpenID libraries don't use a full HTML parser for discovery, so these could be confusing those libraries, so try removing them completely.

Do things work if you fix those two issues?

Rouben (rouben) said : #6

Thanks James Henstridge, that solved my question.

Stas Sușcov (sushkov) said : #7

Hi,
I'm using this for delegation in my <head>:
<link rel="openid.server" href="https://login.launchpad.net/+openid"/>
<link rel="openid.delegate" href="https://login.launchpad.net/+id/HDnmz4T"/>
<link rel="openid2.provider" href="https://login.launchpad.net/+openid"/>
<link rel="openid2.local_id" href="https://launchpad.net/~sushkov"/>
<meta http-equiv="X-XRDS-Location" content="https://login.launchpad.net/+id/HDnmz4T/+xrds" />

But LP still refuses to authenticate me.

Rouben (rouben) said : #8

Stas,

If you read the comments on this question, you will see our problems are related... As James suggested above, it's a good idea to remove the X-XRDS-Location tag from your delegation page. Also don't use https://launchpad.net/~sushkov anywhere in your tags, because that is a delegation page. You can't delegate a delegation page, as James explained to me.

Anyway, based on this knowledge, I suggest that you change your tags to the following:
      <link rel="openid.server" href="https://login.launchpad.net/+openid" />
      <link rel="openid.delegate" href="https://login.launchpad.net/+id/HDnmz4T" />
      <link rel="openid2.provider" href="https://login.launchpad.net/+openid" />
      <link rel="openid2.local_id" href="https://login.launchpad.net/+id/HDnmz4T" />
just these 4 lines.

Also please feel free to check out the delegation page I set up for myself, it works OK with a number of websites I visit:
http://id.rouben.net/rouben
you will see that I also use just these 4 lines.

I hope this helps you solve your OpenID delegation issues.

Stas Sușcov (sushkov) said : #9

On Sun, 2009-10-18 at 17:58 +0000, Rouben wrote:
> Question #84056 on Launchpad itself changed:
> https://answers.launchpad.net/launchpad/+question/84056
>
> Rouben posted a new comment:
> Stas,
>
> If you read the comments on this question, you will see our problems are
> related... As James suggested above, it's a good idea to remove the X
> -XRDS-Location tag from your delegation page. Also don't use
> https://launchpad.net/~sushkov anywhere in your tags, because that is a
> delegation page. You can't delegate a delegation page, as James
> explained to me.
>
> Anyway, based on this knowledge, I suggest that you change your tags to the following:
> <link rel="openid.server" href="https://login.launchpad.net/+openid" />
> <link rel="openid.delegate" href="https://login.launchpad.net/+id/HDnmz4T" />
> <link rel="openid2.provider" href="https://login.launchpad.net/+openid" />
> <link rel="openid2.local_id" href="https://login.launchpad.net/+id/HDnmz4T" />
> just these 4 lines.
>
> Also please feel free to check out the delegation page I set up for myself, it works OK with a number of websites I visit:
> http://id.rouben.net/rouben
> you will see that I also use just these 4 lines.
>
> I hope this helps you solve your OpenID delegation issues.
>

My bad I ignored most of the comments. Anyway you were right, the
problem is solved.

Thank you.

--
() Campania Panglicii în ASCII
/\ http://stas.nerd.ro/ascii/

Thorsten Glaser (mirabilos) said : #10

So I basically go to https://launchpad.net/~myname and copy the four link and one meta tag and paste them into my webpage to make things work?

Thanks, great!

Thorsten Glaser (mirabilos) said : #11

Actually, it does not work on https://review.source.android.com/
(Gerrit Code Review), no matter whether I copy the X-XRDS-Location
or use the https://launchpad.net/~foo/+xrds syntax for it.

Now, is my OpenID delegate bogus, or Launchpad, or does Gerrit
not support them?

Thorsten Glaser (mirabilos) said : #12

When removing the X-XRDS-Location it indeed works with Gerrit as well.
Curious… just for the record.