Hi, I had a look at the Ruby and Python OpenID Authentication server API. When an error that's related to the OpenID Authentication protocol is occurs (e.g. an invalid request from a User-Agent or Relying Party), both implementations throw an instance of ProtocolError.
All source code I returns 500 as the HTTP status code with the error message as the body. According to Page 13 this behaviour is only correct when interacting with a User-Agent and the following happens: If the malformed or invalid message is received by the Relying Party, or "openid.return_to" is not present or its value is not a valid URL, the server SHOULD return a response to the end user indicating the error and that it is unable to continue. I think the correct behaviour is described on Page 10/11: If a request is malformed or contains invalid arguments, the server MUST send a response with a status code of 400. The response body MUST be a Key-Value Form (Section 4.1.1) message with the following fields: However, I doubt that I know better than the people who wrote the official examples. Can someone please clarify how to handle OpenID errors correctly? Best wishes, Matthias-Christian _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
