Hi, I tracked it for my interest (studying OpenID). As the authentication request, yesod-auth sets openid.claimed_id and openid.identity to "https://mixi.jp". I manually changed them to "http://specs.openid.net/auth/2.0/identifier_select", then the authentication process succeeded. According to "OpenID Authentication 2.0" spec section 7.3.1, it seems proper to use this value. <quote> If the end user entered an OP Identifier, there is no Claimed Identifier. For the purposes of making OpenID Authentication requests, the value "http://specs.openid.net/auth/2.0/identifier_select" MUST be used as both the Claimed Identifier and the OP-Local Identifier when an OP Identifier is entered. </quote> Regards, iwasa P.S. congrats on Yesod 0.7! 2011/1/28 Michael Snoyman :

2011/1/26 いとうかつとし :

...

Hi, I have a question. OpenId plugin in yesod-auth 0.2.0.3 don't support OP identifier? for example, i try japanese SNS mixi.jp, Claimed identifier: https://id.mixi.jp/<myid> => success and login my developed site. OP identifier: https://mixi.jp => fail!! I success to login to mixi, but mixi say the error message: `Given OpenID is not yours, your OpenID is http://id.mixi.jp/<myid>. confirm and try again.' the mixi's developer center say mixi 's OP identifier is https://mixi.jp. anyone success to login by using OP identifier?

I'm not sure what would be causing that bug. OpenID logins like that work just fine on Google. Unfortunately, I do not have a mixi account (and I can't read Japanese), so I cannot debug the problem myself.

Does the problem exist if you try to log in to Haskellers with https://mixi.jp?

The only thing I can think of is that some OpenID providers do not follow the spec and require the realm to be sent. Jeremy Shaw sent me a patch for this, but it only made it into authenticate 0.8, which yesod-auth 0.2 does not use. I just backported this patch and put it in authenticate 0.7.2.4. Can you upgrade to that version and tell me if the bug persists?

Thanks, Michael

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel

I confirmed that authenticate-0.8.0.1 works on mixi.jp with both OP Identifier and Claimed Identifier. However, I found one case authentication doesn't work, when OP Identifier responses 301. There is at least one such OP Provider, http://livedoor.com (which is Japanese site also). They say their OP Identifier is "http://livedoor.com/", but it redirects to "http://www.livedoor.com/". 2011/2/7 Michael Snoyman :

Thank you, that was the piece of information I was missing. I've just pushed a commit to Github (https://github.com/snoyberg/authenticate) which should hopefully solve the problem. Since I don't have a mixi.jp account myself, can someone confirm that this new version works before I release it to Hackage?

Thanks, Michael

2011/2/7 iquiw :

...

Hi, I tracked it for my interest (studying OpenID).

As the authentication request, yesod-auth sets openid.claimed_id and openid.identity to "https://mixi.jp". I manually changed them to "http://specs.openid.net/auth/2.0/identifier_select", then the authentication process succeeded.

According to "OpenID Authentication 2.0" spec section 7.3.1, it seems proper to use this value. <quote> If the end user entered an OP Identifier, there is no Claimed Identifier. For the purposes of making OpenID Authentication requests, the value "http://specs.openid.net/auth/2.0/identifier_select" MUST be used as both the Claimed Identifier and the OP-Local Identifier when an OP Identifier is entered. </quote>

Regards, iwasa

P.S. congrats on Yesod 0.7!

2011/1/28 Michael Snoyman :

...

2011/1/26 いとうかつとし :

...

Hi, I have a question. OpenId plugin in yesod-auth 0.2.0.3 don't support OP identifier? for example, i try japanese SNS mixi.jp, Claimed identifier: https://id.mixi.jp/<myid> => success and login my developed site. OP identifier: https://mixi.jp => fail!! I success to login to mixi, but mixi say the error message: `Given OpenID is not yours, your OpenID is http://id.mixi.jp/<myid>. confirm and try again.' the mixi's developer center say mixi 's OP identifier is https://mixi.jp. anyone success to login by using OP identifier?

I'm not sure what would be causing that bug. OpenID logins like that work just fine on Google. Unfortunately, I do not have a mixi account (and I can't read Japanese), so I cannot debug the problem myself.

Does the problem exist if you try to log in to Haskellers with https://mixi.jp?

The only thing I can think of is that some OpenID providers do not follow the spec and require the realm to be sent. Jeremy Shaw sent me a patch for this, but it only made it into authenticate 0.8, which yesod-auth 0.2 does not use. I just backported this patch and put it in authenticate 0.7.2.4. Can you upgrade to that version and tell me if the bug persists?

Thanks, Michael

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel