Guestbook Broken

Martin Atkins mart at degeneration.co.uk
Tue Jun 28 16:33:15 PDT 2005


I've just been trying to get my old simple guestbook script working with
the new protocol. As I suspected, that hack of making up a fake args
hash to pass into the consumer module at the final submission came back
to bite me in the ass, so I removed that. I have a few new problems, though:

* For some reason, the second signature validation is failing with that
naive_verify_failed_return error. The first validation seems to be
working okay. I'm not sure what's differing. The form submission
includes all of the openid.* fields from the request, so they should all
be replicated in the final request and thus I'd expect the verification
step to work exactly the same as it did the first time.

Am I right in thinking that the "dumb" mode verification actually works
once? Do I really have to go through all that redirecting stuff again a
second time?

(Note that the guestbook is using "dumb" mode; this guestbook is the
stateless consumer poster child, invented purely for the purpose of
forcing there to be a stateless mode! ;) )

* The Consumer library doesn't seem to be doing delegate right, or I'm
just calling it wrong. If I enter a URL which delegates to my
LiveJournal URL, everything goes through as normal but the library tells
my code that the identity is my LiveJournal URL, not the one I entered.
This seems like something the library should be handling for me, as it's
part of the spec. I see some code in there that looks like it wants to
get the real identity from oic.identity, but no code to actually add it
in the first place.

Help! :)

The code is available, should you want to refer to it:
http://goathack.livejournal.org:9016/guestbook.txt
(note that I'm currently working on this, so the code will probably be
changing regularly and will probably be full of random debugging stuff.)



More information about the yadis mailing list