LiveJournal consumer seems to fail with encoded urls

Brad Fitzpatrick brad at
Thu Jul 7 15:25:17 PDT 2005

On Thu, 7 Jul 2005, Adam Langley wrote:

> On 7/7/05, Brad Fitzpatrick <brad at> wrote:
> > Ick --- be sure you sign more than just issued!  You'll want to sign
> > "return_to" and other things.  See what Net::OpenID::Server does.
> >
> > I was able to login to my local LJ install by slighly altering that URL,
> > since the signature still matched (with your ruby server's
> > check_authentication)
> Ah, thank you. That's a very good point. Looking at the spec the
> suggested list is:
> "mode,issued,valid_to,identity,return_to"


> But can a stateless server sign 'mode'? Since a signature from both
> checkid_immediate and checkid_setup can be passed to
> check_authentication, yet the openid.mode for check_authentication
> isn't preserved.

There was an earlier discussion on this.  You're signing a mode value of
"id_res", not checkid_*.  So when your check_authentication goes to
verify, it must always assume mode is "id_res", not

Yes, that ties check_authentication to id_res responses, but we agreed
that was the cleanest of the possible answers.

Net::OpenID::Server does:

sub _mode_check_authentication {
    my Net::OpenID::Server $self = shift;

    my $signed = $self->pargs("openid.signed") || "";
    my $token = "";
    foreach my $param (split(/,/, $signed)) {
        next unless $param =~ /^\w+$/;
        my $val = $param eq "mode" ? "id_res" : $self->pargs("openid.$param");


        next unless defined $val;
        next if $val =~ /\n/;
        $token .= "$param:$val\n";

- Brad

More information about the yadis mailing list