0

We are attempting to implement OpenID (as a relying party) using the OpenID jQuery plugin (like StackOverflow) and DotNetOpenAuth.

We can't get AOL to work. DotNetOpenAuth redirects using http://openid.aol.com/{username} just fine, but when we successfully authenticate and it redirects back to our site, this code is run: (abbreviated)

using (OpenIdRelyingParty openid = new OpenIdRelyingParty()) { // Not sure if we want to stick with this, just trying to get it to WORK once openid.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V10; openid.SecuritySettings.RejectUnsolicitedAssertions = false; IAuthenticationResponse resp = openid.GetResponse(); // Results: // resp.Status == AuthenticationStatus.Failed // resp.Exception == DotNetOpenAuth.Messaging.ProtocolException // resp.Exception.Message == "Unsolicited assertions are not allowed from 1.0 OpenID Providers." }

Does anyone know what would cause this? I find it hard to search for what an unsolicited assertion even IS. Or documentation about what version of OpenID it is that AOL supports.

EDIT: Requested log4net logs, here they are:

2010-02-01 09:04:45,217 (GMT-6) [12] INFO DotNetOpenAuth - DotNetOpenAuth, Version=3.3.1.9337, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official) 2010-02-01 09:04:45,246 (GMT-6) [12] INFO DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A//dev.seekitlocal.com/ 2010-02-01 09:04:45,254 (GMT-6) [12] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A//dev.seekitlocal.com/ 2010-02-01 09:04:56,448 (GMT-6) [10] DEBUG DotNetOpenAuth.Http - HTTP GET http://openid.aol.com/DuctTapeNT 2010-02-01 09:04:56,588 (GMT-6) [10] DEBUG DotNetOpenAuth.Yadis - Total services discovered in HTML: 1 2010-02-01 09:04:56,590 (GMT-6) [10] DEBUG DotNetOpenAuth.Yadis - [{ ClaimedIdentifier: http://openid.aol.com/DuctTapeNT ProviderLocalIdentifier: http://openid.aol.com/DuctTapeNT ProviderEndpoint: https://api.screenname.aol.com/auth/openidServer OpenID version: 1.1 Service Type URIs: http://openid.net/signon/1.1 },] 2010-02-01 09:04:56,606 (GMT-6) [10] INFO DotNetOpenAuth.Yadis - Performing discovery on user-supplied identifier: http://openid.aol.com/DuctTapeNT 2010-02-01 09:04:56,616 (GMT-6) [10] DEBUG DotNetOpenAuth.Yadis - Filtering and sorting of endpoints did not affect the list. 2010-02-01 09:04:56,616 (GMT-6) [10] INFO DotNetOpenAuth.OpenId - Creating authentication request for user supplied Identifier: http://openid.aol.com/DuctTapeNT 2010-02-01 09:04:56,638 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckIdRequest (1.1) message. 2010-02-01 09:04:56,712 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement applied to message. 2010-02-01 09:04:56,713 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message. 2010-02-01 09:04:56,715 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement applied to message. 2010-02-01 09:04:56,716 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message. 2010-02-01 09:04:56,718 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message. 2010-02-01 09:04:56,724 (GMT-6) [10] INFO DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckIdRequest (1.1) message for https://api.screenname.aol.com/auth/openidServer: openid.identity: http://openid.aol.com/DuctTapeNT openid.return_to: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT openid.trust_root: http://*.seekitlocal.com/ openid.mode: checkid_setup openid.ns.sreg: http://openid.net/extensions/sreg/1.1 openid.sreg.required: openid.sreg.optional: email,fullname,gender,country 2010-02-01 09:04:56,726 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Sending message: CheckIdRequest 2010-02-01 09:04:56,730 (GMT-6) [10] DEBUG DotNetOpenAuth.Http - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.identity=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.return_to=http%3A%2F%2Fdev.seekitlocal.com%2Fuser%2Flogin.aspx%3FReturnUrl%3Dhttp%253A%252F%252Fdev.seekitlocal.com%252F%26dnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fapi.screenname.aol.com%252Fauth%252FopenidServer%26dnoa.claimed_id%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT&openid.trust_root=http%3A%2F%2F%2A.seekitlocal.com%2F&openid.mode=checkid_setup&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.sreg.required=&openid.sreg.optional=email%2Cfullname%2Cgender%2Ccountry 2010-02-01 09:05:13,253 (GMT-6) [10] INFO DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.assoc_handle=diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%253D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%252BBcrVIrSAI%253D&openid.return_to=http%3A%2F%2Fdev.seekitlocal.com%2Fuser%2Flogin.aspx%3FReturnUrl%3Dhttp%253A%252F%252Fdev.seekitlocal.com%252F%26dnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fapi.screenname.aol.com%252Fauth%252FopenidServer%26dnoa.claimed_id%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT&openid.signed=identity%2Creturn_to&openid.sig=utUiJJNfsRYobq3BiPraBubeI9c%3D 2010-02-01 09:05:13,254 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&openid.assoc_handle=diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%253D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%252BBcrVIrSAI%253D&openid.return_to=http%3A%2F%2Fdev.seekitlocal.com%2Fuser%2Flogin.aspx%3FReturnUrl%3Dhttp%253A%252F%252Fdev.seekitlocal.com%252F%26dnoa.userSuppliedIdentifier%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fapi.screenname.aol.com%252Fauth%252FopenidServer%26dnoa.claimed_id%3Dhttp%253A%252F%252Fopenid.aol.com%252FDuctTapeNT&openid.signed=identity%2Creturn_to&openid.sig=utUiJJNfsRYobq3BiPraBubeI9c%3D 2010-02-01 09:05:13,271 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: PositiveAssertionResponse 2010-02-01 09:05:13,277 (GMT-6) [10] INFO DotNetOpenAuth.Messaging.Channel - Processing incoming PositiveAssertionResponse (1.1) message: openid.identity: http://openid.aol.com/DuctTapeNT openid.sig: utUiJJNfsRYobq3BiPraBubeI9c= openid.signed: identity,return_to openid.assoc_handle: diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%3D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%2BBcrVIrSAI%3D openid.return_to: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT openid.response_nonce: 2010-02-01T15:05:13Z openid.mode: id_res ReturnUrl: http://dev.seekitlocal.com/ dnoa.userSuppliedIdentifier: http://openid.aol.com/DuctTapeNT dnoa.op_endpoint: https://api.screenname.aol.com/auth/openidServer dnoa.claimed_id: http://openid.aol.com/DuctTapeNT 2010-02-01 09:05:13,282 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message. 2010-02-01 09:05:13,286 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement applied to message. 2010-02-01 09:05:13,289 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Verifying incoming PositiveAssertionResponse message signature of: utUiJJNfsRYobq3BiPraBubeI9c= 2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckAuthenticationRequest (1.1) message. 2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement did not apply to message. 2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message. 2010-02-01 09:05:13,307 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message. 2010-02-01 09:05:13,309 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message. 2010-02-01 09:05:13,310 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message. 2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message. 2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message. 2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message. 2010-02-01 09:05:13,312 (GMT-6) [10] INFO DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckAuthenticationRequest (1.1) message for https://api.screenname.aol.com/auth/openidServer: openid.return_to: http://dev.seekitlocal.com/user/login.aspx?ReturnUrl=http%3A%2F%2Fdev.seekitlocal.com%2F&dnoa.userSuppliedIdentifier=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT&dnoa.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&dnoa.claimed_id=http%3A%2F%2Fopenid.aol.com%2FDuctTapeNT openid.mode: check_authentication openid.identity: http://openid.aol.com/DuctTapeNT openid.sig: utUiJJNfsRYobq3BiPraBubeI9c= openid.signed: identity,return_to openid.assoc_handle: diAyLjAgayAwIG53VldlczRiWWFTR2M2SmYyQXgvN3U3alBvWT0%3D-j5HRXRB1VbPyg48jGKE1Q2MpHpkFkaUaOxWzZ44gUVrIf6wXQo2g2UtSNCbdz6IPS%2BBcrVIrSAI%3D openid.response_nonce: 2010-02-01T15:05:13Z ReturnUrl: http://dev.seekitlocal.com/ dnoa.userSuppliedIdentifier: http://openid.aol.com/DuctTapeNT dnoa.op_endpoint: https://api.screenname.aol.com/auth/openidServer dnoa.claimed_id: http://openid.aol.com/DuctTapeNT 2010-02-01 09:05:13,312 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Sending CheckAuthenticationRequest request. 2010-02-01 09:05:13,548 (GMT-6) [10] DEBUG DotNetOpenAuth.Http - HTTP POST https://api.screenname.aol.com/auth/openidServer 2010-02-01 09:05:13,612 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Received CheckAuthenticationResponse response. 2010-02-01 09:05:13,612 (GMT-6) [10] INFO DotNetOpenAuth.Messaging.Channel - Processing incoming CheckAuthenticationResponse (1.1) message: is_valid: true openid.mode: id_res 2010-02-01 09:05:13,613 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message. 2010-02-01 09:05:13,613 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message. 2010-02-01 09:05:13,613 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message. 2010-02-01 09:05:13,615 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message. 2010-02-01 09:05:13,616 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message. 2010-02-01 09:05:13,619 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message. 2010-02-01 09:05:13,620 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message. 2010-02-01 09:05:13,624 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement did not apply to message. 2010-02-01 09:05:13,625 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Channel - After binding element processing, the received CheckAuthenticationResponse (1.1) message is: is_valid: true openid.mode: id_res 2010-02-01 09:05:13,626 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement applied to message. 2010-02-01 09:05:13,627 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement applied to message. 2010-02-01 09:05:13,627 (GMT-6) [10] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message. 2010-02-01 09:05:13,627 (GMT-6) [10] ERROR DotNetOpenAuth.OpenId - Incoming message is expected to have a nonce, but the return_to parameter is not signed. 2010-02-01 09:05:13,629 (GMT-6) [10] ERROR DotNetOpenAuth.Messaging - Protocol error: Unsolicited assertions are not allowed from 1.0 OpenID Providers. at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args) at DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement.ProcessIncomingMessage(IProtocolMessage message) at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message) at DotNetOpenAuth.OpenId.ChannelElements.OpenIdChannel.ProcessIncomingMessage(IProtocolMessage message) at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest) at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo) at IDM.Controls.OpenIDLogin.OnInit(EventArgs e) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.HttpContext.InvokeCancellableCallback(WaitCallback callback, Object state) at System.Web.UI.Page.AsyncPageBeginProcessRequest(HttpContext context, AsyncCallback callback, Object extraData) at IDM.Components.SILBasePage.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error) at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb) at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
Improve this question
3
  • It works on the live sample samples.dotnetopenauth.net/v3.4/OpenIdRelyingPartyWebForms To figure out what's going on with your server we'd need to see the logs: dotnetopenauth.net/developers/code-snippets/… Can you add the logs to the question? Commented Jan 30, 2010 at 4:12
  • @Andrew added the log4net logs. I love how detailed they are, but still greek to me unfortunately. Hopefully you can point me in the right direction. Thanks! Commented Feb 1, 2010 at 15:21
  • And would you happen to be explicitly setting SecuritySettings.MinimumRequiredOpenIdVersion to allow for 1.1 OPs? Commented Feb 2, 2010 at 4:46

2 Answers 2

Reset to default
2

I believe what's going on here is that the OpenIdRelyingParty instance you use to create the authentication request is in stateless ("dumb") mode. That is, you pass null to its constructor, or you set Stateless="true" on one of the ASP.NET controls. But when the authentication response comes back, you process that response with an OpenIdRelyingParty instance that was created in stateful mode (you didn't pass null explicitly to its constructor).

This results in an incompatibility in the authentication response. The request is created with a lower level of security because the state required for that extra security is not available. But when the authentication response comes back, state is available so the security requirements are higher, and the response to the lower-level request is rejected.

It's a good idea to just create one OpenIdRelyingParty instance, store it in a static field somewhere, and then use it for all your logins. It's thread-safe and specifically designed for this. It will help you avoid this kind of problem in the future, and be a bit more performant as well.

By the way, I also expect you are explicitly setting SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V10 on the OpenIdRelyingParty instance after creating it, or else I don't think that stateless mode would have permitted working with AOL. Stateless mode RP at your site and OpenID 1.1 Providers are a low-security combination that DotNetOpenAuth defaults to disallowing because the protocol is vulnerable to replay attacks. Just so you know what you're overriding there (if you are in fact doing that).

(Wow. That was a lot of digging in the logs...)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

You were right - I was using separate OpenIdRelyingParty instances to initiate and complete the login process, and one of them was not passing null in the constructor. I was operating under the assumption that a class that implements IDisposable should be disposed, so it's good to hear that it's safe to instantiate one static instance. I was using stateless because I was planning for a load-balanced environment - would you recommend implementing an IRelyingPartyApplicationStore in order to achieve safety from attacks with AOL and other OpenID 1.1 providers?
I always recommend a state store if you can implement it. Otherwise, I'd leave OpenID 1.1 OP support at its stateless default of off. AOL ought to be about done with their 2.0 OP launch pretty soon here anyway.
0

"unsolicited assertion" means that your application thinks AOL sent someone over with an id_res message without your application ever doing a checkid_setup for that identifier. I'll leave it to Andrew to say how DotNetOpenAuth deals with that or AOL.

('cuz it works in Python.)

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.