Guestbook Broken

[Brad Fitzpatrick]

On Wed, 29 Jun 2005, Martin Atkins wrote:

> * For some reason, the second signature validation is failing with that
> naive_verify_failed_return error. The first validation seems to be
> working okay. I'm not sure what's differing. The form submission
> includes all of the openid.* fields from the request, so they should all
> be replicated in the final request and thus I'd expect the verification
> step to work exactly the same as it did the first time.

There's a time component.  You only have a certain amount of time to check
the signature, iirc.

> Am I right in thinking that the "dumb" mode verification actually works
> once? Do I really have to go through all that redirecting stuff again a
> second time?

No, you just get the signature, then check_authentiction it.  This should
all be hidden by the verified_identity method

> * The Consumer library doesn't seem to be doing delegate right, or I'm
> just calling it wrong. If I enter a URL which delegates to my
> LiveJournal URL, everything goes through as normal but the library tells
> my code that the identity is my LiveJournal URL, not the one I entered.

Really?  You using the newest library?  Sprinkle some debug around... I've
been using delegated and normal identities fine.

> This seems like something the library should be handling for me, as it's
> part of the spec. I see some code in there that looks like it wants to
> get the real identity from oic.identity, but no code to actually add it
> in the first place.

They're in different files.

- Brad