Your OpenID credentials could not be verified

I use SimpleID as OpenID server software, and it has served me pretty well - except for blogger.com-hosted blogs. Whenever I wanted to comment and authenticate with my OpenID, I got:

Your OpenID credentials could not be verified

or simply

OpenID error

Debugging

Since web searches did not yield any helpful results (one page even told me to delegate my OpenID to Google since that works), I decided to debug the fscking thing.

At first I had a peek at the server logs for my OpenID url:

74.125.182.31 - - [time] "HEAD / HTTP/1.1" 200 - "-" "-"
74.125.182.31 - - [time] "GET / HTTP/1.1" 200 2127 "-" "-"

So it first tries a HEAD request, and then a GET. Next station was OpenID server domain access log:

74.125.182.39 - - [time] "GET /?q=xrds/cweiske HTTP/1.1" 200 797 "-" "-"

That was it. No further accesses. This can only mean that Blogger chokes on the XRDS file.

Nailing it down

This is my XRDS file:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns="xri://$xrd*($v*2.0)" xmlns:xrds="xri://$xrds"
 xmlns:simple="http://xrds-simple.net/core/1.0"
>
  <XRD version="2.0">
    <Type>xri://$xrds*simple</Type>
    <Service priority="10">
      <Type>http://specs.openid.net/auth/2.0/signon</Type>
      <URI>http://id.cweiske.de/</URI>
      <LocalID>http://cweiske.de/</LocalID>
    </Service>
    <Service xmlns:openid="http://openid.net/xmlns/1.0" priority="20">
      <Type>http://openid.net/signon/1.0</Type>
      <URI>http://id.cweiske.de/</URI>
      <openid:Delegate>http://cweiske.de/</openid:Delegate>
    </Service>
  </XRD>
</xrds:XRDS>

And this is Google's:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <XRD>
    <Service priority="0">
      <Type>http://specs.openid.net/auth/2.0/server</Type>
      <Type>http://openid.net/srv/ax/1.0</Type>
      <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
      <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
      <Type>http://specs.openid.net/extensions/pape/1.0</Type>
      <URI>https://www.google.com/accounts/o8/ud</URI>
    </Service>
  </XRD>
</xrds:XRDS>

I played around, adding a service with priority 0, adding the server type and ax type - nothing helped.

At last, I removed the xri://$xrds*simple]]> from my file - and voila, it worked!

Standards

My XRDS file is valid according to XRDS-Simple 1.0 Draft 1, but as Eran Hammer writes on his XRDS simple overview page:

XRDS-Simple was an early attempt to simplify the XRDS schema for OAuth Discovery. The XRDS-Simple profile removed many of the complex elements in XRDS and defined new parser behavior to make client development easier. However, after a few attempts it became clear that the underlying architecture was incorrect. Instead, the XRI TC which authored XRDS decided to produce a new specification called XRD 1.0.

XRD 1.0 replaces XRDS-Simple and delivers a truly simple resource descriptor format. It is closely aligned with web linking as used in HTML and ATOM, and includes support for only the most common features.

So we do now know that XRDS-Simple is obsolete.

OpenID version 2 uses the Yadis protocol for OpenID server discovery. Section 7.5.2 XRD Schema defines the structure - it's an XRD 1.0 document, and not a XRDS-Simple one.

Conclusion: SimpleID has a bug, Blogger is correct by not accepting an invalid XRD file.

Written by Christian Weiske.

Comments? Please send an e-mail.