Selling cookie info to third-parties is a classic example of you can make money without doing evil.
RSS

Catalyst, OpenID and Yahoo!

2008/10/13 filed under /perl

Net::OpenID::Consumer has just been released to CPAN (it was on BRADFITZ's svn repository for a while), which enables you to handle OpenID 2.0 logins (and since Brad is listed as author of the 2.0 protocol , I trust it's a solid module :)

Since Net::OpenID::Consumer now handles OpenID 2.0, Catalyst::Authentication::Credential::OpenID does too (thanks to ASHLEY (and yes, "ashley is a boy's name")).

This is good news, 'cause Yahoo! only accepts OpenID 2.0. So from now on, all Yahoo! users can login to your application and that without a lot of code (thanks to the awesome Catalyst Framework).

After implementing it, I ran into the horrors of the Yahoo! implementation. They are very strict and when you screw up at a certain point, they'll greet your users with a lovely message:

Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate.

I tried to lookup what caused this and came across a good and quite detailed solution The only bad thing about it: it didn't work for me.

After messing with it for way too long, I noticed that my return_to URI was redirecting Yahoo! (so what?), so they ignored the Yadis header and thus raising the error.

To fix this in Catalyst, you must make sure you have the following things done:

  1. Create a yadis.xrdf (see the template)
  2. Have Catalyst return the right Content-Type header for the file (if you're using Catalyst::Plugin::Static, check the POD!)
  3. Inserted a X-XRDS-Location header for at least the return_to URL
  4. Have Catalyst return a 200-response code on the return_to URL

I was using code like this:

    my ( $self, $c ) = @_;

    if ( !$c->authenticate({}, "openid") ) {
        $c->flash(error => "OpenID login failed");
    }

    $c->res->redirect( $c->uri_for('/') );
    $c->detach();

FAIL! Don't redirect (or redirect with a meta-refresh, or javascript).

Since this took me hours to figure out, I hope this blog post makes your life a little easier.

TT , , , , , ,
Posted by: B10m | permanent link | comments (0)
return-member