|New problem with LJ's OpenID Provider support (I think)
||[Oct. 28th, 2008|01:04 pm]
|||||Boiled In Lead - The Man Who Was Boiled In Lead||]|
Howdy, all. I'm new to this community, although an old hand at programming and a fairly longtime LJ user. I *think* I've hit a new bug -- I toss it out here for advice on what to do with it. Keep in mind that I'm pretty new to OpenID, and trying to puzzle out a lot of confusing symptoms.
Context: I'm bootstrapping a new communication service by the name of CommYou. It deliberately doesn't maintain its own social network, but instead uses existing social networks for the social infrastructure. I'm using LJ as one of my initial networks to support, since it's relatively friendly to outside apps and that's where all of *my* friends are. So I'm acting as the relying party / consumer, with LJ as the identity and social network provider.
I got OpenID support working a month or two ago, and that's been going okay. I've hit one or two snags, mostly because the open-source library I'm using, OpenID4Java, is pretty strict in its interpretation of the protocol, but nothing that was really slowing me down. However, sometime recently OpenID login through LJ stopped working. My *guess* is that this was on the 23rd, since the release notes for that day say that there were changes to the OpenID stack, but it could have been any time in the past few weeks.
After much digging, I found that the problem is that LJ is now returning an empty op_endpoint parameter in its return URL during the OpenID exchange. This is causing the OpenID4Java library to crash -- if op_endpoint is specified, it must be a valid URL, and empty string isn't. (AFAICT, op_endpoint is mandatory and non-empty in Version 2, and shouldn't be there in Version 1.) I'm fairly sure that this is a recent change, since it was all working a few weeks ago.
I'm by no means certain that it's quite this simple: I'm finding lots of confusing information. For instance, YADIS discovery seems to be part-failing because LJ is returning a Content-Type of "text/xml", and the library (based on the standard, I believe) expects the XRDS document to be "application/xrds+xml". The XRDS document is claiming to be sending OpenID 1.0, and my code is reacting accordingly, but I suspect (from the presence of the op_endpoint parameter) that LJ isn't actually doing simple 1.0.
So there's a lot of guesswork and supposition here. I've hacked the library for the moment, to ignore the spurious op_endpoint parameter, but I'd prefer to really figure out what's going on and where the problem is (LJ, OpenID4Java, or my app). So if anyone is deep in LJ's OpenID code, I'd love to have a chat and try to puzzle out what needs to be fixed...