Wednesday, June 11, 2008

Why Yahoo! says your OpenID site's identity is not confirmed

Are you building an OpenId 2.0 relying party site and having your visitors who use Yahoo! as their Provider see this message?

Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate.

Here is what you need to do to get rid of this warning:

  1. Write an XRDS document and save it to your web site.  Put the URL of your login page(s) in it.
  2. Advertise your XRDS document by putting a special link on your home page (or whatever page your Realm URL points to).

Let's start with authoring your XRDS document.  Here is a template you can copy and paste:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
    xmlns:xrds="xri://$xrds"
    xmlns:openid="http://openid.net/xmlns/1.0"
    xmlns="xri://$xrd*($v*2.0)">
    <XRD>
        <Service priority="1">
            <Type>http://specs.openid.net/auth/2.0/return_to</Type>
            <URI>http://nerdbank.org/RP/login.aspx</URI>
        </Service>
    </XRD>
</xrds:XRDS>

You should replace the URI element text with whatever the fully-qualified URL is of your return_to page.  This may be your login page, or if you have a separate URL for receiving the Provider's authentication response, that is your return_to URL and should be placed in the URI element.  If you have multiple return_to pages, you should repeat the URI xml element, providing a unique URI element in each one. 

If you have thousands of login pages (because it's a blog or something) then technically you should just put as much of the URL in as is true for all your login pages (such as just http://nerdbank.org).  Unfortunately (well, it's probably for increased security) Yahoo! isn't satisfied with very generic URLs and may still put up their warning, so make your URL as specific as possible.

Save your XRDS document to some location on your web site.  Say... http://nerdbank.org/xrds.aspx.  It doesn't have to end with any particular extension.  But you should program your web site to indicate that the XRDS document has a Content-Type of "application/xrds+xml" so that Yahoo or any other Provider knows what it is looking at.

Now you must advertise your XRDS document from your Realm URL.  Your Realm is typically the root URL of your web site.  For example, if your root was http://nerdbank.org/, you will need to modify your default page that responds to that request (i.e. default.aspx, index.html, etc.).  A big warning about your Realm URL (the one you send to the Provider): the realm URL must not cause any redirects. That is, if your realm is http://nerdbank.org/RP, but that URL redirects to http://nerdbank.org/RP/ (note the trailing slash), the XRDS discovery will fail and Yahoo (and others) may report your site as identity not confirmed. Touchy? Yes, but for good security reasons. This means that in your original OpenId request, you must be careful to set your realm URL to end with that trailing slash if your server requires it.

Add the following line inside the HEAD tags of your Realm page:

<meta http-equiv="X-XRDS-Location" content="http://nerdbank.org/xrds.aspx"/>

That is enough for some Providers, but may not be enough for all.  Your Realm URL page should also include this HTTP response header:

X-XRDS-Location: http://nerdbank.org/xrds.aspx

You should be done.  Try logging into your site using "yahoo.com" again to verify that the warning has gone away.

13Dec09 Update: An RP verification diagnostic tool you can use to help pinpoint your precise issue is now available.

24 comments:

  1. Thanks for writing this up! Can we send you a Yahoo OpenID T-Shirt?

    ReplyDelete
  2. I'd love one. :)
    If you're serious, you can email me for my address, or just click on my Resume link on the right sidebar to get my address.

    ReplyDelete
  3. But you should program your web site to indicate that the XRDS document has a Content-Type of "application/xrds+xml"

    what do you mean by program your website. can u please explain. i am using it in a java application.

    thanks in advance
    Satish

    ReplyDelete
  4. slight edit:

    the URI value needs to be the location you're using for handling the OP auth response. it may or may not be the same as your login page. so it's more accurate to say that the URI value should be whatever you're using for your 'return_to' value in the auth request.

    btw: where can I get my hands on one of those Yahoo OpenID T-shirts ?! ;)

    ReplyDelete
  5. Satish,
    By 'program your website', I was looking for a generic way of describing what is different for every web platform. It may be that you set up Apache, IIS, ASP.NET, perl, etc. You'll have to figure out how to set the Content-Type for your individual platform.

    ReplyDelete
  6. Hi, I'm writing because i have been trying to avoid de warning from yahoo open id provider following your advices. But by now i cant resolved

    I'm using openid4java over apache tomcat.

    the return_url is

    http://"+ip+":8123/contabilidad/authenticationresponsehandler

    wich i give to openid server trou
    <pre class="xhtml:nogutter" name="code">
    AuthRequest authReq = manager.authenticate(
    discovered,
    "http://"+ip+":8123/contabilidad/authenticationresponsehandler",
    null
    );
    </pre>

    The xrds file is
    <?xml version="1.0" encoding="UTF-8"?>
    <xrds:XRDS
    xmlns:xrds="xri://$xrds"
    xmlns:openid="http://openid.net/xmlns/1.0"
    xmlns="xri://$xrd*($v*2.0)"
    >
    <XRD>
    <Service priority="1">
    <Type>http://specs.openid.net/auth/2.0/return_to</Type>
    <URI>http://xxx.xxx.xxx.xx:8123/contabilidad/authenticationresponsehandler</URI>
    </Service>
    </XRD>
    </xrds:XRDS>

    and is located on

    in
    http://xxx.xxx.xxx.xx:8123/contabilidad/xrds.xml

    and also in
    http://xxx.xxx.xxx.xx:8123/xrds.xml

    also in both url the default index.html I put the meta
    <meta http-equiv="X-XRDS-Location" content="http://xxx.xxx.xxx.xx:8123/contabilidad/xrds.xml"/>

    But still receive the warning from yahoo open id provider.

    There is somthing that i'm missing?

    Thanks in advance.
    Ricardo.

    ReplyDelete
  7. Hi Ricardo,

    Have you set your content-type header for your xrds file? And what is your realm URL set to?

    ReplyDelete
  8. Thanks for answer so quickly Andrew.

    Have you set your content-type header for your xrds file?
    I don't now really how to do this.
    The only way I imagine (using tomcat) it's making a servlet
    which let me set de content type like.

    response.setContentType("application/xrds+xml")
    it's okay set application/xrds+xml as content type?

    and them read the file and returned.

    But I think that it could be more heavy that it necesary, you know if there is an easier way?


    And what is your realm URL set to?
    I don't know how to set the real. By now I suppose it is

    http://xxx.xxx.xxx.xx:8123/contabilidad
    or
    http://xxx.xxx.xxx.xx:8123

    I'm not sure.

    I know how to set the realm in tomcat, but i think this is related to user
    and passwords and is not related with you refer as a realm.

    Could you explain me about what the realm means in this case?

    Lot of thanks
    Ricardo.

    ReplyDelete
  9. I found following link useful as well and it worked for me perfectly.

    http://blog.facilelogin.com/2008/07/let-rest-discover-your-openid-relying.html

    Thanks.

    Shaun

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Like lots of other people, this article was very useful for my project.

    Here is my 2 cents.

    Say you are using JSP or ASPX for authoring your XRDS document, the following tip will be useful.

    After you author your XRDS document, before you try it with open ID work flow, try downloading the same via a web browser and check the document to make sure that there is no newline at the beginning of the file.

    Following line should start as first byte of your XRDS document.

    <?xml version="1.0" encoding="UTF-8"?>


    If it is not so, Yahoo and other service providers, still throw the warning about your site because the XRDS document parsing failed.

    Thanks

    ReplyDelete
  12. hi Andrew,

    i have Yadis folder.

    This folder create its own XRDS.

    I don't know where to put your XRDS. can you help me in this. I m new to this things

    thanks in advance

    ReplyDelete
  13. PHP+Apache2 users out there might be interested in this:

    Don't name your file xrds.xml.php and try to serve it as xrds.xml while changing Content-type to application/xrds+xml in the header. Apache is braindead and doesn't attempt to execute the file. Yahoo! sends an Accept header in its HTTP request, listing application/xrds+xml. Apache decides your file is not of correct filetype, and sends Yahoo! the 406 Not Acceptable. Referring to same file with the .php extension makes Apache actually execute the file, and then compare the content-type to the accept header from the client.

    (It was a few months ago since I implemented this, so I might be mistaken in details.)

    ReplyDelete
  14. Oh, and I have a neat, albeit messy, checklist of gotchas I encountered while working on fixing my OpenID implementation to make Yahoo!'s XRDS check happier.

    http://khaoticone.blogspot.com/2009/04/yahoo-and-openid-verification.html

    A few gotchas or hints may be useful to someone.

    ReplyDelete
  15. Interesting. Thanks for the write up!

    ReplyDelete
  16. Cheers! thanks from me too :D

    ReplyDelete
  17. Gah. I spent 3-4 hours to get rid of this warning now but it just will not work. I Think i have done everything according to this post (and some help from others).

    Anyone want to have a look at http://alternativeto.net/login.aspx and maybe see if you see anything wrong?

    Thanks!

    ReplyDelete
  18. Thanks for this post. It saved me quite a lot of my hair :)

    ReplyDelete
  19. Ola,

    Try to log into your RP with this identifier: http://test-id.org/RP/DiscoverableReturnTo.aspx

    It indicates that the OP can't download your RP's XRDS document. Then if you click on the "Recent logs" link on this RP-testing page, you can see this error that your web server is returning instead of its XRDS document:

    406 - Client browser does not accept the MIME type of the requested page.

    ReplyDelete
  20. Worked a treat,

    Thanks for the detailed write up!

    ReplyDelete
  21. The idea that any normal, average user will comprehend logging into a website with a URL (that is, in average user thinking: logging into a website with a website) is patently absurd.

    ReplyDelete
  22. @Radical Horace: Which is why you present them with a nice icon of Google or Yahoo!. Read up on OpenID 2.0 and Google's and Yahoo!'s implementation.

    ReplyDelete
  23. I am not understand below lines. Please explain briefly.
    "But you should program your web site to indicate that the XRDS document has a Content-Type of "application/xrds+xml" so that Yahoo or any other Provider knows what it is looking at."

    ReplyDelete