Is this issue relating to writing a Relying Party, a Provider, or both? RP

I have the following setup: - localhost: Standard Visual Studio Development Server - test-environment: IIS 6 without SSL - live-environment: same server as test-environment but with SSL / https

My code works fine on localhost and on the test-environment. on the live-environment the following exception ist thrown: DotNetOpenId.OpenIdException: The signature verification failed. at DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore store) in c:\git\dotnetopenid\src\DotNetOpenId\RelyingParty\Token.cs:line 101 at DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2 query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean verifySignature) in c:\git\dotnetopenid\src\DotNetOpenId\RelyingParty\AuthenticationResponse.cs:line 222 at DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in c:\git\dotnetopenid\src\DotNetOpenId\RelyingParty\OpenIdRelyingParty.cs:line 294

My failed handler looks like this: protected void OpenIdLogin1_Failed(object sender, OpenIdEventArgs e) { trError.Visible = true; litError.Text = "FAILED: " + e.Response.Exception; Session.Abandon(); }

What steps will reproduce the problem? (please include the actual Claimed Identifier or OpenID Url used to repro the problem if possible) 1. I'm entering the following OpenID Url: https://www.google.com/accounts/o8/id 2. I'm getting redirected to the provider (Google) and confirm the request. 3. My debug-label shows the info I've entered at the beginning of this issue.

What version of the product are you using? Official build? 2.5.1.8313, yes

Can this problem be reproduced using the included samples? no

Please provide any additional information below. Relevant log snippets are superb!

The application state may be getting cleared. The only way to know for sure it to activate logging and check it out. Can you send me the logs?

can you give me an example how to do this? i tried to get log4net to work but no logfile gets created.

Besides copying log4net into your web site's Bin folder, you need to modify your site's web.config file to include a log4net section similar to how you see it in the samples that are included with dotnetopenid.

okay, here is the log:

2008-11-28 21:21:02,761 (GMT+1) [1] INFO Garreng.Global - Starting... 2008-11-28 21:21:40,308 (GMT+1) [1] INFO DotNetOpenId - DotNetOpenId, Version=2.5.1.8313, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official) 2008-11-28 21:21:40,386 (GMT+1) [1] INFO DotNetOpenId - Creating authentication request for user supplied Identifier: https://www.google.com/accounts/o8/id 2008-11-28 21:21:40,402 (GMT+1) [1] DEBUG DotNetOpenId - Realm: https://mydomain.com/ 2008-11-28 21:21:40,402 (GMT+1) [1] DEBUG DotNetOpenId - Return To: https://mydomain.com/Login/LoginDebug.aspx 2008-11-28 21:21:40,808 (GMT+1) [1] DEBUG DotNetOpenId - An XRDS response was received from GET at user-supplied identifier. 2008-11-28 21:21:40,980 (GMT+1) [1] DEBUG DotNetOpenId - Total services discovered in XRDS: 1 2008-11-28 21:21:40,980 (GMT+1) [1] DEBUG DotNetOpenId - [{ ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select ProviderEndpoint: https://www.google.com/accounts/o8/ud OpenID version: 2.0 Service Type URIs: http://specs.openid.net/auth/2.0/server },] 2008-11-28 21:21:41,011 (GMT+1) [1] DEBUG DotNetOpenId - Skipping HTML discovery because XRDS contained service endpoints. 2008-11-28 21:21:41,027 (GMT+1) [1] DEBUG DotNetOpenId - Filtering and sorting of endpoints did not affect the list. 2008-11-28 21:21:41,058 (GMT+1) [1] INFO DotNetOpenId - Requesting association with https://www.google.com/accounts/o8/ud (assoc_type = 'HMAC-SHA256', session_type = 'no-encryption'). 2008-11-28 21:21:41,089 (GMT+1) [1] DEBUG DotNetOpenId - Sending direct message to https://www.google.com/accounts/o8/ud: openid.mode: associate openid.assoc_type: HMAC-SHA256 openid.session_type: no-encryption openid.ns: http://specs.openid.net/auth/2.0

2008-11-28 21:21:41,558 (GMT+1) [1] DEBUG DotNetOpenId - Received direct response from https://www.google.com/accounts/o8/ud: ns: http://specs.openid.net/auth/2.0 session_type: no-encryption assoc_type: HMAC-SHA1 assoc_handle: AOQobUceSLt5i-z_zEbVdZ8RbnDEJYOUHwHeUm_smlrnmao8_tFKYb4z expires_in: 1209600 mac_key: VViG5mXyR1CfW33Tjd7rodYZjls=

2008-11-28 21:21:41,573 (GMT+1) [1] ERROR DotNetOpenId - Provider responded with contradicting association parameters. Requested [HMAC-SHA256, no-encryption] but got [HMAC-SHA1, no-encryption] back. 2008-11-28 21:21:41,573 (GMT+1) [1] ERROR DotNetOpenId - Association attempt with https://www.google.com/accounts/o8/ud provider failed. 2008-11-28 21:21:41,573 (GMT+1) [1] DEBUG DotNetOpenId - All endpoints failed to respond to an association request. Selecting first endpoint to try to authenticate to. 2008-11-28 21:21:41,589 (GMT+1) [1] INFO DotNetOpenId - Generating new secret signing key. 2008-11-28 21:21:41,620 (GMT+1) [1] DEBUG DotNetOpenId - Sending indirect message: openid.mode: checkid_setup openid.identity: http://specs.openid.net/auth/2.0/identifier_select openid.ns: http://specs.openid.net/auth/2.0 openid.claimed_id: http://specs.openid.net/auth/2.0/identifier_select openid.realm: https://mydomain.com/ openid.return_to: https://mydomain.com/Login/LoginDebug.aspx?token=AStD6mBIEB3MMd6ejfXdXQRZYYaK7UhkEmq2MSRb1W1HaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3QNCmh0dHA6Ly9zcGVjcy5vcGVuaWQubmV0L2F1dGgvMi4wL2lkZW50aWZpZXJfc2VsZWN0DQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L2lkDQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L3VkDQoyLjANCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False openid.ns.sreg: http://openid.net/extensions/sreg/1.1 openid.sreg.required: openid.sreg.optional:

2008-11-28 21:21:41,652 (GMT+1) [1] DEBUG DotNetOpenId - Redirecting to https://www.google.com/accounts/o8/ud?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fmydomain.com%2f&openid.return_to=https%3a%2f%2fmydomain.com%2fLogin%2fLoginDebug.aspx%3ftoken%3dAStD6mBIEB3MMd6ejfXdXQRZYYaK7UhkEmq2MSRb1W1HaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3QNCmh0dHA6Ly9zcGVjcy5vcGVuaWQubmV0L2F1dGgvMi4wL2lkZW50aWZpZXJfc2VsZWN0DQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L2lkDQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L3VkDQoyLjANCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.ns.sreg=http%3a%2f%2fopenid.net%2fextensions%2fsreg%2f1.1&openid.sreg.required=&openid.sreg.optional=

This log doesn't include the return from Google. I need a log that goes all the way from the start of the auth (as this one does), but continues through to completed authentication.

i don't understand why but i NEVER get a full log like you need it. here i have a response without the request :(

2008-11-29 11:24:59,171 (GMT+1) [8] DEBUG Garreng.Login.LoginDebug - Welcome to LoginDebug.aspx 2008-11-29 11:24:59,171 (GMT+1) [8] INFO DotNetOpenId - DotNetOpenId, Version=2.5.1.8313, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official) 2008-11-29 11:24:59,171 (GMT+1) [8] DEBUG DotNetOpenId - OpenID authentication response received: token: ASsLYKZL97clecR7IsXsjB7xuDwHJCnOnYyodAlyZoTZaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3QNCmh0dHA6Ly9zcGVjcy5vcGVuaWQubmV0L2F1dGgvMi4wL2lkZW50aWZpZXJfc2VsZWN0DQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L2lkDQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L3VkDQoyLjANCg== OpenIdTextBox_UsePersistentCookie: False openid.ns: http://specs.openid.net/auth/2.0 openid.mode: id_res openid.op_endpoint: https://www.google.com/accounts/o8/ud openid.response_nonce: 2008-11-29T10:25:01ZwJPW4cnsq8PmQQ openid.return_to: https://example.com/Login/LoginDebug2.aspx?token=ASsLYKZL97clecR7IsXsjB7xuDwHJCnOnYyodAlyZoTZaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3QNCmh0dHA6Ly9zcGVjcy5vcGVuaWQubmV0L2F1dGgvMi4wL2lkZW50aWZpZXJfc2VsZWN0DQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L2lkDQpodHRwczovL3d3dy5nb29nbGUuY29tL2FjY291bnRzL284L3VkDQoyLjANCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False openid.assoc_handle: AOQobUfTtDQThOVkvnNFoyv2FpciY1uXdZXHbhcfqhW7ClnRrTNjRqmR openid.signed: op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle openid.sig: l1B6FrUiekW3JFttmGSKW96YnAE= openid.identity: https://www.google.com/accounts/o8/id?id=AItOawmS2gmJVP0uAVNHhe0npFORBEn0QU4eEJM openid.claimed_id: https://www.google.com/accounts/o8/id?id=AItOawmS2gmJVP0uAVNHhe0npFORBEn0QU4eEJM

2008-11-29 11:24:59,187 (GMT+1) [8] INFO DotNetOpenId - Generating new secret signing key. 2008-11-29 11:24:59,234 (GMT+1) [8] ERROR DotNetOpenId - OpenIdException: The signature verification failed. 2008-11-29 11:24:59,234 (GMT+1) [8] DEBUG Garreng.Login.LoginDebug - STACKTRACE:
at DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore store) in c:\git\dotnetopenid\src\DotNetOpenId\RelyingParty\Token.cs:line 101 at DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2 query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean verifySignature) in c:\git\dotnetopenid\src\DotNetOpenId\RelyingParty\AuthenticationResponse.cs:line 222 at DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in c:\git\dotnetopenid\src\DotNetOpenId\RelyingParty\OpenIdRelyingParty.cs:line 294

An incomplete log confirms my suspicion that your web server instance is restarting between web requests. I don't know what configuration in IIS would cause it to behave this way. You should be able to force a complete log by logging to a file rather than just the tracepage.aspx as the samples do. But at this point I think the most important thing for you would be to figure out why your web application state gets cleared between each web request, and the dotnetopenid logs are not likely to help any further in figuring that out.

However here are a couple of workarounds that may help you. Start the ASP.NET State Server service and change your web.config file to use it. Another option is to write a database implementation of dotnetopenid's persistance interface and store everything the library needs to recall in a database rather than the app state.

OKAY, I GOT IT!

I configured a webgarden in the settings of my application pool. I set it to "1" and it works now.

Thanks for the hint!

Perhaps it would be good to announce this in the FAQ or Wiki...

That's a good idea. I don't know enough to describe it from your side though. For instance, I've never heard of a webgarden. Can you write something up and we can post it?

Okay, here we go.

If you configure a "web garden" (this means, that one application pool can create more than one process on the machine) in some cases one process doesn't know what the other does.

I recognized this when I tried to get a logfile with log4net. There was always only the request or the reply in the log.

Interesting... I'm familiar with web farms, but a web garden as you describe I've never run across.

If you want to use dotnetopenid in a web garden then you must implement the appropriate interface to allow all processes to share the "secrets" that dotnetopenid manages with itself and other servers so that all processes can verify signatures and not just the one that created the signature/association in the first place.

I'll update the docs to include 'web gardens' where web farms are used.