docwhat's avatardocwhat's blog

How not to implement OpenID

UPDATE: I was wrong! See below…

I have a lovely case study in how not to implement OpenID: SourceForge

I’m unsure of how they’re going about implementing OpenID but I bet it isn’t via one of the open source libraries out there that work.

In the past, it never worked because it’s delegation support was broken.

Delegation is the handy feature that lets you use one host name (such as as your id, but the provider could be someplace else (like Or even multiple places!

I reported that bug but it was never fixed.  The original part of the problem was that it’s HTML parsing was broken.  I know that none of the open source libraries have had this problem.

Now that I have the fancy new OpenID Plugin that can be its own provider, sourceforge is still broken.

This isn’t rocket science, folks. There are libraries that do almost everything for you!


UPDATE[2009-03-14]: It turns out I was wrong! The problem is that the OpenID Plugin was broken. It’s just that at the time of this post, only SourceForge was triggering the bug.  Eventually, all OpenID sites were triggering the bug.

To SourceForge and their staff: I apologize; I was wrong. The only complaint I can make is that the feedback wasn’t sufficient to let me troubleshoot the problem.

UPDATE[2009-03-19]: Wrong again! It turns out that broken apache rewrite rules (which were hidden by ErrorDocument directives) were the cause. Man, I should stop being wrong so much. ;-)


Gravatar for will norris
Will Norris

I have no problems logging into SF, and of course I’m using the WordPress OpenID plugin. :) I do however have trouble commenting with an OpenID here. Looks like you moved your wp-comments-post.php file, right? If so, you need to set OPENIDCOMMENTSPOST_PAGE in wp-config.php. See

Gravatar for docwhat

@Will Norris

OpenID should be fixed. That was, as you point out, my bad.

I also found that Bad Behavior is messing with the ?openid_server=1 requests (they have a signature similar to cross site scripting attacks); so I disabled Bad Behavior for the moment.

However, SourceForge still isn’t able to log in. It says “Could not verify your OpenID. Please try again.” (after I’ve added it to my trusted sites, so it got that far)

The HTTP log only shows this:

"GET /?openid_server=1& HTTP/1.0" 302 - "-"
Gravatar for robert eccardt
Robert Eccardt

They have a workaround on the SourceForge site:

Adding the HTML discovery they mention allows delegation to work for me. But even that is partly broken. It requires me to include the “www” and “index.html” portion of my URL, which I normally leave out. But the whole thing is almost useless anyway, since you can’t use it for their CVS or Subversion.

Gravatar for docwhat

Hah! It turns out it was the OpenID plugin. We should complain to the author…

Submit a Comment


The personal blog of Christian Höltje.
docwhat docwhat contact