Providers with not valid content-type

[GoogleCodeExporter]

Consumer in this library is not working with the biggest czech OpenID provider, 
because he sends content-type 'text/xml' instead of 'application/xrds+xml'.

I propose this simple patch, which make's it working.

Original issue reported on code.google.com by juzna.cz on 2 Nov 2010 at 11:35

Attachments:

• 0001-allowed-more-types-of-yadis-xml-file.patch

[GoogleCodeExporter]

The OP you've mentioned violates the yadis protocol[1]. It should be fixed on 
their side, not in LightOpenID.

It would be a problem to make that change in LightOpenID, because websites can 
also have "text/xml" MIME type[2], and may contain discovery data inside 
meta-tags. While it is rarely used, it's possible, and contrary to what the OP 
does, valid.

Another question is, does it work with other consumers? Which ones? And what's 
the url of the provider anyway?

[1]: http://yadis.org/wiki/Yadis_1.0_%28HTML%29#6.2.5_Response
[2]: http://www.w3.org/TR/2002/NOTE-xhtml-media-types-20020801/#text-xml

Original comment by mewp...@gmail.com on 2 Nov 2010 at 2:20

[GoogleCodeExporter]

It took me some time to study related specifications...

Yes, according to specification you're right. That provider is seznam.cz and 
I'll try to contact them, but I'm not sure if they would care. 

Interesting thing is, that other costumers work with that OP. I tried e.g. 
'Simple OpenID PHP Class'[1], or just random websites that use OpenID works 
also [2] (and don't care about MIME type at all -- tested also with mime 
text/plain [3]). I think because many people can't set proper mime type and 
just upload their yadis file to web server [3].

For that reason I'm attaching another patch:
 - added attribute $strict = false
 - when $strict==false (default), then it tries to guess, whether it's XRDS
With this patch it will work with most providers and also personal OpenIDs 
(like juzna.cz), who wants to be strict, can change strict attribute to true.
(Perhaps you can set strict to true by default).

[1]: 
http://www.phpclasses.org/package/3290-PHP-Authenticate-users-with-OpenID-single
-sign-on.html
[2]: https://www.myopenid.com/directory
[3]: http://juzna.cz/yadis

Original comment by juzna.cz on 11 Nov 2010 at 6:26

Attachments:

• 0001-allowed-more-types-of-yadis-xml-file.patch

[GoogleCodeExporter]

I've rebased my patch on top of origin/master, so that you can apply if cleanly.

Original comment by juzna.cz on 12 Nov 2010 at 11:44

Attachments:

• 0001-allowed-more-types-of-yadis-xml-file.patch

[GoogleCodeExporter]

Making a compatibility switch is a dirty hack, that should be avoided (since it 
leads only to more bugs, and incompatibility between instances of the same 
library).

I think that after all, I'll remove the check for application/xrds+xml, and 
instead get the content as soon as there's no x-xrds-location header. Only XRDS 
documents should contain service elements, so it probably won't break anything.

I'll commit the patch later, when I think about it some more time.
Anyway, thanks for your interest.

Original comment by mewp...@gmail.com on 12 Nov 2010 at 12:09

• Changed state: Started

[GoogleCodeExporter]

I've decided to allow text/xml content-type. The discovery of seznam.cz now 
works.

Original comment by mewp...@gmail.com on 22 Nov 2010 at 3:34

• Changed state: Fixed