How do you get AOL's OpenID site verification

2019-02-09 07:16发布

问题:

I have an OpenID relying party setup and using XRDS. It passes the "RP has discoverable return_to" interop test over at http://test-id.org/RP/DiscoverableReturnTo.aspx.

Yahoo no longer complains with the message "Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent." as outlined in Andrew Arnott's excellent blog post: http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html

However, when I try to authenticate using AOL I see the "Warning! site verification could not be completed." message.

回答1:

When verifying the return_to value, AOL doesn’t support the RFC 4366 TLS "Server Name Indication" (SNI) extension, which allows multiple SSL certificates on the same IP address. If your server is so configured, AOL will only see the default certificate for the IP address. If it doesn’t happen to match the certificate of the relying website, AOL will (incorrectly) report an error.

i.e. This is an AOL bug.



回答2:

After 3 hours of work i had satisfied AOL verification. Below is what you need to make sure(assuming you satisfy openid 2.0 specificaiton).

Aol is making http Head request, so make sure that your realm page is accepting Http Head request. I think that's what mostly wrong as we don't check Http Head ever.

Aol http head request is very naked so make sure your serve back response with bare request. ie. in our case code was also failing when there is no agent info in request.

It is most likely you would have problem with above conditions.



回答3:

Maybe it's just a cached response from AOL and tomorrow it goes away. Just a thought. The test-id.org test and Yahoo test you've already done should demonstrate you're doing it right.

Please let us know if there's a novel requirement AOL holds you to that others don't.



标签: openid aol xrds