wp-openid 2.2.0 released

I’ve just released version 2.2.0 of the OpenID plugin for WordPress. Notable additions in this version:

  • POST replay for comments - this should fix all the compatibility issues with other comment related plugins like reCaptcha.
  • MUCH better memory usage - like no longer needlessly building a 2MB object on every page load!
  • support for Email Address to URL Transformation - now you can use an email address anywhere you normally use an OpenID
  • fixed OpenID Spoofing vulnerability - users' profile URLs must match one of their OpenIDs
  • using hooks for gathering user data - other plugins can now hook in and gather user info from FOAF, hCard, whatever
  • If OpenID authentication fails for whatever reason, the user is given the opportunity to submit their comment without OpenID
  • lots of little fixes, code refactoring and cleanup, and a lot of UI tweaks

Download at http://wordpress.org/extend/plugins/openid/.

I tested pretty thoroughly on WordPress 2.2 through 2.6 using PHP5. I’m fairly certain I didn’t break PHP4, but let me know if you find any problems.

With this out the door, I’ll be jumping right into my feature list for the next major release – adding a native OpenID Server and delegation capabilities. At that point, it should be able to handle all of your OpenID related needs.

Comments and responses

Hey Will,

the plugin doesn’t work for my. Like in older versions I still get the following error, when I try to connect my OpenID to my account:

Error: OpenID assertion failed: Server denied check_authentication

I use my OpenID everywhere I can - other Relying Parties don’t seem to have any problems with the check_authentication requests.

Bye, Dennis

@Dennis: do you have big integer support on your server? On the WP-OpenID config page, click “Toggle More/Less” and look for red failures

@Chris: not sure why your comment doesn’t show as having been OpenID authenticated… did it take you through the EAUT flow? I just tried and it seemed to work okay.

Heya Will!

Looks like something is broken in either the OpenID library or in WP-OpenID. I get this error message on my test system:

Could not discover an OpenID identity server endpoint at the url: docwhat.gerf.org

When I updated to 2.20 most of my patches to OpenID fell out. I assume this is a good thing. If you recall, I had patches to fix the web page parsing.

The old findHTML() function seems to be gone, so I assume that they aren’t needed anymore?

I can see that it does (two?) fetches of docwhat.gerf.org. But I don’t seem to be able to figure out where in the parsing it fails. :-(

Others seem to be having trouble too: http://wordpress.org/support/topic/191523

@Dennis:

Click Settings Click WP-OpenID Above the words “WP-OpenID Registration Options” there is a box. It says “Status Information” Click on “toggle more/less” Below the line about “library: BCMath” there may be a line about “Loaded long integer library”. If there is at it says “FAIL” then report that. If the line doesn’t exist, then it is OK

@Will: You may want to make that line appear even if it’s OK. It is confusing otherwise.

Ciao!

When I try to add my OpenID to my user account in WP 2.6, I get:

Error: OpenID assertion failed: BAD_REQUEST

I checked the settings, nothing red.

Any ideas? I’m delegating to verisign labs. Haven’t had problems with DOPPLR or identi.ca.

Also, in posting this comment here, I got a “We were unable to authenticate your claimed OpenID, however you can continue to post your comment without OpenID”.

Chris: yours is very likely a SSL cert problem… it looks like you have your site redirect to an HTTPS version which is protected with a CACert certificate. While I actually love CACert and use them as my CA of choice for many applications, most curl installations do not have them in the list of trusted CAs. You’ll either need to modify your site so that XRDS discovery can be performed without SSL, or get a certificate from a more commonly trusted CA.

@Christian: your server is returning an HTTP 400 to the request made by the openid library. The exact request (which reproduces the 400 over telnet) is:

GET / HTTP/1.1
Range: bytes=0-1048576
User-Agent: php-openid/2.1.0 (php/5.2.5) curl/7.16.3
Host: docwhat.gerf.org
Accept: application/xrds+xml, text/html; q=0.3, application/xhtml+xml; 0.5

Sidenote: Hey Will what do you think about making it easier to provide you with debugging information, and a better diagnostic dashboard for folks who are trying to figure out what (or where) things are going wrong?

It seems to me that the current UI might be a little hard to get to or make use of… It might also be useful to add a link to a Satisfaction site for support – or to the wordpress.org support page.

Thoughts?

[quote comment=“22568”]@Christian: your server is returning an HTTP 400 to the request made by the openid library. [/quote]

It appears that Bad Behavior is catching the openid request as something bad.

It appears that it doesn’t like the range header, which is a bit odd…

I’ll see if I can do something about having Bad Behavior block those, but probably not sending a “range” header is probably a good idea.

Meanwhile, I submitted a patch to the author of bad-behavior to allow php-openid clients to use range, as well.

Ciao!

@TheDoctorWhat Thanks for your advice. I installed the latest version of the plugin (2.2.1) and verified that everything is on the plugin side is okay, the line reads the following:

[OK] Big Integer support: GMP is installed.

Unfortunately it still doesn’t work. I guess it would be good to pick up Chris' idea, so I can find out and provide more information about what’s going wrong.

Have a nice weekend, Dennis

Since upgrading, the wp-openid doesn’t seem to handle openid redirects. I get the following error:

Could not discover an OpenID identity server endpoint at the url: toph.ca

Any idea on what is going on?

Email to ID hat seine Spezifikation. Email Address to URL Translation (kurz EAUT) ist ein offenes Protokoll um E-Mail - Adressen zu URLs zu transformieren um sie für Services wie z.B. OpenID verwenden zu können.

Email Address to URL Transformation (EAUT) defines a mechanism for transforming the "addr-spec" portion of an RFC2822 email address into an associated URL. The transform options outlined in this document are designed to be flexible enough such that every DNS domain-owner can specify unlimited email address to URL transformations that services can easily discover and utilize in their URL-based transactions.

Das Prinzip ist einfach:

Wen interessiert welche Schritte genau durchgeführt werden oder ob der eigene E-Mail - Provider ein entsprechendes Mapping unterstützt, kann seine E-Mail - Adresse hier testen (Beispiel: matthias@pfefferle.org).

Examples in the wild

Der erste Service, der die Email Address to URL Translation Spezifikation umgesetzt hat ist Ma.gnolia.com:

Just wanted to let everyone know that we just deployed EAUT support over at Ma.gnolia (http://ma.gnolia.com). You can now type in your email address in the OpenID field and we'll resolve using EAUT with https://web.archive.org/web/20080929085748/http://emailtoid.net/ as the default.

Ma.gnolia.com - Email Address to URL Transformation

Will Norris hat EAUT außerdem in sein OpenID WordPress Plugin (Version 2.2.0) implementiert.

(via Carsten Pötters Shared Items)

My problem with OpenID 2.2.1 here

http://forum.maxsite.org/viewtopic.php?pid=29993#p29993

but OpenID 2.1.9 works good

Update: when i tried to use my livejournal.com openID here, to comment in your blog i’ve get just the same :))

“Error: please fill the required fields (name, email).”

something wrong in your new versions…

Does your EAUT implementation fall back nicely to the existing way we do email-as-openID? Does it have a last-resort-emailtoid checkbox we can turn on?

Testing the answer to my first question in the comment… heh

[quote comment="22738"]Stephen, you seem to be running into the same problem as DocWhat above… Bad Behavior is causing a HTTP 400 when php-openid requests your XRDS document.[/quote]

Any chance of removing the RANGE portion of the request? Why is it there in the first place?

I’ve posted to the WordPress Forums as well as the JanRain dev mailing list, so we’ll see what people have to say. My thinking on the matter:

  • it’s a valid http request, so Bad Behavior should allow it, regardless
  • I don’t want to ship a modified version of the JanRain library if I can at all keep from it
  • I will ship a modified version of the library if we need to, but I want some more information before doing so

Will: I saw your email on the openid list. I didn't realize it was in the openid library itself.

I already submitted a request to bad-behavior to no block the UA php-openid. Range seems like an odd thing to filter on, though. :-/

I don't know which is in the 'wrong' because I don't know enough about either situation.

Hi, I have troubles with openid.pl When I entered my OpenID address at openid.pl I received an error: “The Request that you have attempted does not meet the OpenID protocol standard - please contact the host administrator of your site to advise them of this situation.”

myopenid.com for example works fine. Can you check or add the openid.pl?

@Pawe: I’m not sure I understand the problem you’re having, as that is not an error message from wp-openid. Exactly what site are you trying to login to, and what OpenID are you trying to use there?
It’s on my blog: http://blog.pawelsobczak.pl One of my readers send me a feedback with troubles with openid.pl I registered at it to check the problem, because other sites (like myopenid.com) works fine. This is the URL with error:http://wklej.org/id/d37b8aa5c6 (it’s only link to the URL, because the latter is too long) Is it possible that openid.pl uses different ‘standard’ that plugin doesn’t operate?

I am getting this error

Fatal error: Call to a member function finish_openid_auth() on a non-object in /home/danesh/domains/thedaneshproject.com/public_html/wp-content/plugins/defensio-anti-spam/defensio.php on line 619

Please advice

I installed v2.2.1 (on WP 2.4.1), and no longer seem to be able to post comments when your plugin is activated. I get the following error when wp-comments-post.php runs:

You must submit a comment using the comment form.

I checked the plugin’s status info, which displays a failure for Big Integer support:

[FAIL] Big Integer support: The OpenID Library is operating in Dumb Mode. Recommend installing GMP support.

Are there any workarounds I could apply? Comments can be posted if I turn off openid, but of course that means no openid support for my site.

Thanks in advance!

Oops, I meant WP 2.5.1. (And it’s with a test site, not the url noted in the website field.) In any case, I started a thread over at the WP support forum, so feel free to continue there.
Hey! Cna you explain something about this: http://bobrik.name/2008/08/05/some-updates/#comment-2259 Comments without openid works fine. Maybe some staff in hooks?

Hey, Will! I have a problem with this plug-in This is a message, what I have: Plugin could not be activated because it triggered a fatal error.

At the same time plug-in status is activated, but there are two more messages after attempt to log in using openid: Warning: constant(): Couldn't find constant PEAR_LOG_WARNING in /home/www/yeleleo.co.uk/blog/wp-content/plugins/openid/core.php on line 58

Fatal error: Call to a member function on a non-object in /home/www/yeleleo.co.uk/blog/wp-content/plugins/openid/core.php on line 59

Please help me to fix this problem.. Blog here http://yeleleo.co.uk/blog/ Thanks!

I’ve posted a comment few days ago but I see it didn’t appeared. So once again: the problem occurred when one of my readers used the openid[dot]pl, so I checked it with my test account queyas[dot]openid[dot]pl and received the message. I’ve discovered that 2.1.9 version works ok, so there’s something wrong with the newest plugin
@Pawel, sorry about that… I did get your comment, I guess I just forgot to go in and approve it. I did however contact the admin of openid.pl and we figured out what the problem was. It was a minor bug in wp-openid – it was adding a trailing slash to the trust_root URL, but not the return_to URL. Therefore openid.pl rightfully detected that the return_to was not under the same path as the trust_root and therefore rejected it. Strangely, it doesn’t seem like any other OpenID providers are comparing to that much scrutiny (or they are ignoring the trailing slash problem). In any event, I’ve update the plugin in SVN, and verified that it works… try again on this site to see it working. The patch will be included in the next release, which I’ll try to do today.
@yeleleo: looks like the PEAR logging stuff isn’t being included properly. Do you have some other Logging library in your include path by chance? Specifically something that would provide a class named “Log” ?
Hello! I use WP v.2.6 and plugin WP-OpenID v.2.2.2 When i try to use openid (lj or myopenid.com) i see this error: “Unable to authenticate OpenID”. What does that mean? How can i fix it?
@LifeAsItComes (Kevin): well that issues certainly doesn’t exist anymore in its current form, simply because authentication requests would never have a return_to of anything in wp-admin/… all responses comes back to /?openid_consumer.

Will, Thanks for the plugin. This is a really important bit of infrastructure for wordpress to be receiving.

Unfortunately, I’ve noticed that I am receiving the following error: PHP Fatal error: Too many values for format string: => 1218639686 in [my home dir]/public_html/wp-content/plugins/openid/store.php on line 441

That comes from the interpolate function. The error arose when I clicked on the “Manage” tab on the dashboard, and it resulted in a 404.

I’m using WP2.6. Please mail me if you want more information. Thanks!

I’m having problems with WP-OpenID 2.2.2. When I try to log in to my blog I get the following error message: “Could not discover an OpenID identity server endpoint at the url: http://djupsjobacka.com/id/basse”

I know the OpenID I used is ok, because I use it on other sites without problems. What could be wrong?

@Sebastian: I’m having the same problem. The linking only works when I point directly to the server’s location - the header s at my homepage aren’t followed.

However, the process just completed first time when I tested posting an OpenID comment while logged out of my local mirror of my blog. Could be because it’s a local mirror, could be because I was using IE to avoid logging out of Fx, could be because I was logged out…who knows.

I submitted a bug report about it the other day.

(Another bug: this comment wouldn’t submit until I entered a name and e-mail!)

[quote comment=“23190”]Will you add support for the avatar system for Openid? http://www.openvatar.com [/quote] You should be able to do this pretty easily already… the get_avatar() function added in 2.5 is pluggable, and wp-openid provides a is_comment_openid() function. Using those, an openvatar plugin could be done with pretty minimal code.
With a Livejournal openID, I’m getting this problem: http://wordpress.org/support/topic/194995 which, if I correctly understand this blog post: http://sbrlabs.com/blog/?p=7540 is caused by the same lack of an XML-DOM parser that shows up as an error when I try to log-in with a Yahoo/Flickr openID. In other words, I won’t be able to use openid until PHP is upgraded or extended on my server. There’s also a javascript error because add_openid_to_comment_form gets called in every footer, but the function is included only on pages with comment forms.

I use this recipe to cut down on post spam: http://docwhat.gerf.org/2007/08/rename-wp-comment-post/

Your plugin has wp-comments-post.php hardcoded into it.

Would it be possible to make this a configurable option so I don’t have to remember to patch your plugin every time?

I would be fine with a ‘silent’ option that requires direct SQL access or something like that.

Ciao!

[quote comment=“23075”]Error: OpenID assertion failed: return_to does not match return URL. Expected http://lifeasitcomes.com/, got http://lifeasitcomes.com/?action=verify

Error: Unable to authenticate OpenID.[/quote]

I get the same error. This happens when trying to add OpenID URLs to an account through the profile page.

I’ve tried pinpointing what’s wrong, but I’m in the dark since I don’t know enough about the standard.

What I found is that parameters are missing when they are being checked for in _verifyReturnToArgs (Auth/OpenID/Consumer.php) during the check of $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);

Hopefully this can help you in pinpointing and fixing the problem.

/Nathan

Using it here? My OpenID self hosted provider crash out this… Testing again..

I get this:

“We were unable to authenticate your claimed OpenID, however you can continue to post your comment without OpenID:”

After correctly and successfully authenticating with my OpenID at http://collantes.us/

I got a question.

If I created an account and add identify link, I can still use my chosen username.

If I didn’t create an account and use identify link to login & create account, I will not be able to switch my user name away from identify link.

Am I correct regard to this? Is it possible to pull first name, last name, or username from 3rd party, such as “Yahoo”.

Thanks in advance.

@weinschenker: I’ve not had any problems with Yahoo OpenIDs.

@Ray: If you create an account using an OpenID, your username is generated from the OpenID you logged in with. You could then modify which OpenIDs are associated with your account, but the username can’t be changed. I’ve thought about maybe letting the user choose their username at the time of account creation, but haven’t added that in yet.

To allow user specify username at open id register process sounds good idea.

I know you are busy at new version. You Rock!!!

Thanks x 200%

Please let me know if you need any help, but I am sure I am not as smart as u do.