Invalid Association Handles

Grant Monroe grant at
Tue May 2 18:36:38 UTC 2006

On 5/1/06, Thom McGrath <lists at> wrote:
> After reading the spec a number of times, I must say I'm a little
> confused. During an 'associate' mode, I should create a new "smart-
> mode" associate handle and return it. Where I get confused is in the
> checkid_* methods. If my server is sent a handle that is invalid,
> what is the *correct* way to handle this? The spec says, for the
> value of openid.assoc_handle:
> "Optional. Consumer must use dumb mode (check_authentication mode) if
> an assoc_handle isn't provided. Also, if you use an assoc_handle the
> server doesn't know about, it'll pick its own and you'll have to use
> dumb mode as well."
> Later, for the response openid.invalidate_handle:
> "Optional. If the server didn't accept/recognize your provided
> assoc_handle for whatever reason, it'll choose its own to use, and
> copy the one you provided back into invalidate_handle, to tell you to
> stop using it. You should then send it along in your
> check_authentication request to verify it actually should be dropped."
> So let me verify my understanding. If the handle is good, simply
> continue. If it is empty or incorrect, create one and set the
> openid.assoc_handle to the handle. If the provided handle is
> incorrect, set openid.invalidate_handle response to the incorrect
> handle. The consumer should no longer use this handle. Now what?

Once the consumer receives a response to checkid_* with an
argument present, the consumer will need to do the
check_authentication step as in dumb mode but including the
invalidate_handle. if the invalidate_handle is present in the response
to check_authentication, then the handle should be removed from the
consumer's db.

> Should I remove the handle from my database? Should I deny all
> subsequent requests that contain this handle? Or should I keep
> issuing new handles, even though the consumer keeps using a handle
> that it has been told is invalid?
> I ask because the OpenID Server Test Tool does not respect the
> openid.invalidate_handle response, and continues to use an expired
> handle anyway. (The handle is only invalid because I force it to
> expire early, thus intentionally causing this issue. This is simply a
> matter of testing my server, not the tool using handles past the
> expiration date.) I want to know what the correct behavior is, as it
> appears to be undefined.
> --
> Thom McGrath, <>
> "You don't need eyes to see, you need vision" - Maxi Jazz in
> "Reverence" by Faithless

"Records and live performance are two worlds. One is a love letter,
the other a hot date." - Robert Fripp

More information about the yadis mailing list