How do you get AOL's OpenID site verification to work?

Asked 24/3, 2010 at 5:56 Answered 16/5, 2011 at 14:46

I have an OpenID relying party setup and using XRDS. It passes the "RP has discoverable return_to" interop test over at http://test-id.org/RP/DiscoverableReturnTo.aspx.

Yahoo no longer complains with the message "Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent." as outlined in Andrew Arnott's excellent blog post: http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html

However, when I try to authenticate using AOL I see the "Warning! site verification could not be completed." message.

Shondrashone answered 24/3, 2010 at 5:56 Comment(2)

Looks like they just rolled out a new version at AOL a week or two back, your best bet might be to ask them directly. practicalid.blogspot.com/2010/03/… – Simplehearted 24/3, 2010 at 21:4

Please include the actual realm and return_to URLs that you are passing in your OpenID auth request so we can investigate your specific issue. – Bandler 6/4, 2010 at 16:41

When verifying the return_to value, AOL doesn’t support the RFC 4366 TLS "Server Name Indication" (SNI) extension, which allows multiple SSL certificates on the same IP address. If your server is so configured, AOL will only see the default certificate for the IP address. If it doesn’t happen to match the certificate of the relying website, AOL will (incorrectly) report an error.

i.e. This is an AOL bug.

Rehash answered 3/10, 2010 at 3:52 Comment(2)

Would the same thing go for a site using wildcard certificates? – Shondrashone 7/10, 2010 at 0:23

Not if it’s the same thing that I saw, which happens when there is more than one certificate on the same IP address. – Rehash 13/10, 2010 at 20:7

After 3 hours of work i had satisfied AOL verification. Below is what you need to make sure(assuming you satisfy openid 2.0 specificaiton).

Aol is making http Head request, so make sure that your realm page is accepting Http Head request. I think that's what mostly wrong as we don't check Http Head ever.

Aol http head request is very naked so make sure your serve back response with bare request. ie. in our case code was also failing when there is no agent info in request.

It is most likely you would have problem with above conditions.

Rhineland answered 16/5, 2011 at 14:46 Comment(0)

Maybe it's just a cached response from AOL and tomorrow it goes away. Just a thought. The test-id.org test and Yahoo test you've already done should demonstrate you're doing it right.

Please let us know if there's a novel requirement AOL holds you to that others don't.

Bandler answered 26/3, 2010 at 2:47 Comment(1)

Yeah, still happening with AOL. Yahoo is working as expected. – Shondrashone 5/4, 2010 at 22:52

Recommended topics

Hot tags