unsuccessful user-provided OpenID auth, success depends on local time

Local log of friend demo with OpenID:

luke ~/friend-demo $ lein run 8090
Jun 05, 2014 1:25:31 PM org.openid4java.server.RealmVerifier setEnforceRpId
WARNING: RP discovery / realm validation disabled; 
2014-06-05 13:25:35.404:INFO:oejs.Server:jetty-7.6.1.v20120215
2014-06-05 13:25:35.513:INFO:oejs.AbstractConnector:Started SelectChannelConnector@0.0.0.0:8090
Jun 05, 2014 1:26:17 PM org.openid4java.discovery.Discovery discover
INFO: Starting discovery on URL identifier: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 1:26:17 PM org.openid4java.discovery.yadis.YadisResolver discover
INFO: Yadis discovered 0 endpoints from: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 1:26:17 PM org.openid4java.discovery.Discovery discover
INFO: No OpenID service endpoints discovered through Yadis; attempting HTML discovery...
Jun 05, 2014 1:26:18 PM org.openid4java.discovery.html.HtmlResolver discoverHtml
INFO: HTML discovery completed on: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 1:26:18 PM org.openid4java.discovery.Discovery discover
INFO: Discovered 1 OpenID endpoints.
Jun 05, 2014 1:26:18 PM org.openid4java.consumer.ConsumerManager associate
INFO: Trying to associate with http://XXXXX.XXXXX.XXX/openid attempts left: 4
Jun 05, 2014 1:26:18 PM org.openid4java.consumer.ConsumerManager createAssociationRequest
WARNING: Could not create association of type: no-encryption:HMAC-SHA1:OpenID2
Jun 05, 2014 1:26:18 PM org.openid4java.consumer.ConsumerManager createAssociationRequest
WARNING: Could not create association of type: no-encryption:HMAC-SHA256:OpenID2
Jun 05, 2014 1:26:18 PM org.openid4java.consumer.ConsumerManager associate
INFO: Associated with http://XXXXX.XXXXX.XXX/openid handle: {HMAC-SHA256}{539052f0}{6LbUvQ==}
Jun 05, 2014 1:26:18 PM org.openid4java.consumer.ConsumerManager authenticate
INFO: Creating authentication request for OP-endpoint: http://XXXXX.XXXXX.XXX/openid claimedID: http://XXXXX.XXXXX.XXX/XXXX@XXXX OP-specific ID: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 1:26:18 PM org.openid4java.server.RealmVerifier match
INFO: Return URL: http://localhost:8090/openid/login matches realm: http://localhost:8090/openid/login
Jun 05, 2014 1:26:20 PM org.openid4java.consumer.ConsumerManager verify
INFO: Verifying authentication response...
Jun 05, 2014 1:26:20 PM org.openid4java.consumer.ConsumerManager verify
INFO: Received positive auth response.
Jun 05, 2014 1:26:20 PM org.openid4java.consumer.AbstractNonceVerifier seen
WARNING: Nonce is too old: 2014-06-05T11:22:27Zk4p7fr
Jun 05, 2014 1:26:20 PM org.openid4java.consumer.ConsumerManager verify
SEVERE: Nonce verification failed.
2014-06-05 13:26:20.926:WARN:oejs.AbstractHttpConnection:/openid/login?openid.assoc_handle=%7BHMAC-SHA256%7D%7B539052f0%7D%7B6LbUvQ%3D%3D%7D&openid.claimed_id=http%3A%2F%2FXXXXX.XXXXX.XXX%2FXXXXX%40XXXXX&openid.identity=http%3A%2F%2FXXXXX.XXXXX.XXX%2FXXXXX%40XXXXX&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=http%3A%2F%2FXXXXX.XXXXX.XXX%2Fopenid&openid.response_nonce=2014-06-05T11%3A22%3A27Zk4p7fr&openid.return_to=http%3A%2F%2Flocalhost%3A8090%2Fopenid%2Flogin&openid.sig=MMmrtJTAg3ZYeBv29SofxtXGcFn0HccpTPrskQHNBaw%3D&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned
java.lang.NullPointerException
    at cemerick.friend.openid$handle_return.invoke(openid.clj:96)
    at cemerick.friend.openid$workflow$fn__3432.invoke(openid.clj:122)
    at cemerick.friend$authenticate_request$fn__2881.invoke(friend.clj:230)
    at clojure.core$map$fn__4087.invoke(core.clj:2432)
    at clojure.lang.LazySeq.sval(LazySeq.java:42)
    at clojure.lang.LazySeq.seq(LazySeq.java:60)
    at clojure.lang.RT.seq(RT.java:473)
    at clojure.core$seq.invoke(core.clj:133)
    at clojure.core$filter$fn__4106.invoke(core.clj:2470)
    at clojure.lang.LazySeq.sval(LazySeq.java:42)
    at clojure.lang.LazySeq.seq(LazySeq.java:60)
    at clojure.lang.LazySeq.first(LazySeq.java:82)
    at clojure.lang.RT.first(RT.java:566)
    at clojure.core$first.invoke(core.clj:55)
    at cemerick.friend$authenticate_request.invoke(friend.clj:230)
    at cemerick.friend$authenticate_STAR_.invoke(friend.clj:240)
    at cemerick.friend$authenticate$fn__2888.invoke(friend.clj:248)
    at ring.middleware.keyword_params$wrap_keyword_params$fn__217.invoke(keyword_params.clj:32)
    at ring.middleware.nested_params$wrap_nested_params$fn__262.invoke(nested_params.clj:70)
    at ring.middleware.params$wrap_params$fn__187.invoke(params.clj:58)
    at ring.middleware.multipart_params$wrap_multipart_params$fn__302.invoke(multipart_params.clj:107)
    at ring.middleware.flash$wrap_flash$fn__1420.invoke(flash.clj:31)
    at ring.middleware.session$wrap_session$fn__1405.invoke(session.clj:85)
    at clojure.lang.Var.invoke(Var.java:415)
    at compojure.core$routing$fn__1875.invoke(core.clj:106)
    at clojure.core$some.invoke(core.clj:2390)
    at compojure.core$routing.doInvoke(core.clj:106)
    at clojure.lang.RestFn.applyTo(RestFn.java:139)
    at clojure.core$apply.invoke(core.clj:603)
    at compojure.core$routes$fn__1879.invoke(core.clj:111)
    at cemerick.friend_demo$wrap_app_metadata$fn__4854.invoke(friend_demo.clj:64)
    at compojure.core$routing$fn__1875.invoke(core.clj:106)
    at clojure.core$some.invoke(core.clj:2390)
    at compojure.core$routing.doInvoke(core.clj:106)
    at clojure.lang.RestFn.invoke(RestFn.java:423)
    at cemerick.friend_demo$fn__4861$iter__4857__4862$fn__4863$fn__4874.invoke(friend_demo.clj:71)
    at compojure.core$wrap_context$fn__1929.invoke(core.clj:164)
    at compojure.core$if_route$fn__1853.invoke(core.clj:39)
    at compojure.core$routing$fn__1875.invoke(core.clj:106)
    at clojure.core$some.invoke(core.clj:2390)
    at compojure.core$routing.doInvoke(core.clj:106)
    at clojure.lang.RestFn.applyTo(RestFn.java:139)
    at clojure.core$apply.invoke(core.clj:603)
    at compojure.core$routes$fn__1879.invoke(core.clj:111)
    at clojure.lang.Var.invoke(Var.java:415)
    at ring.adapter.jetty$proxy_handler$fn__2585.invoke(jetty.clj:18)
    at ring.adapter.jetty.proxy$org.eclipse.jetty.server.handler.AbstractHandler$0.handle(Unknown Source)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
    at org.eclipse.jetty.server.Server.handle(Server.java:349)
    at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:452)
    at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:884)
    at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:938)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:634)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)
    at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
    at java.lang.Thread.run(Unknown Source)

The same, but local time has been moved two hours back:

luke ~/friend-demo $ lein run 8090
Jun 05, 2014 11:27:14 AM org.openid4java.server.RealmVerifier setEnforceRpId
WARNING: RP discovery / realm validation disabled; 
2014-06-05 11:27:17.308:INFO:oejs.Server:jetty-7.6.1.v20120215
2014-06-05 11:27:17.343:INFO:oejs.AbstractConnector:Started SelectChannelConnector@0.0.0.0:8090
Jun 05, 2014 11:27:33 AM org.openid4java.discovery.Discovery discover
INFO: Starting discovery on URL identifier: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 11:27:33 AM org.openid4java.discovery.yadis.YadisResolver discover
INFO: Yadis discovered 0 endpoints from: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 11:27:33 AM org.openid4java.discovery.Discovery discover
INFO: No OpenID service endpoints discovered through Yadis; attempting HTML discovery...
Jun 05, 2014 11:27:33 AM org.openid4java.discovery.html.HtmlResolver discoverHtml
INFO: HTML discovery completed on: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 11:27:33 AM org.openid4java.discovery.Discovery discover
INFO: Discovered 1 OpenID endpoints.
Jun 05, 2014 11:27:33 AM org.openid4java.consumer.ConsumerManager associate
INFO: Trying to associate with http://XXXXX.XXXXX.XXX/openid attempts left: 4
Jun 05, 2014 11:27:33 AM org.openid4java.consumer.ConsumerManager createAssociationRequest
WARNING: Could not create association of type: no-encryption:HMAC-SHA1:OpenID2
Jun 05, 2014 11:27:33 AM org.openid4java.consumer.ConsumerManager createAssociationRequest
WARNING: Could not create association of type: no-encryption:HMAC-SHA256:OpenID2
Jun 05, 2014 11:27:34 AM org.openid4java.consumer.ConsumerManager associate
INFO: Associated with http://XXXXX.XXXXX.XXX/openid handle: {HMAC-SHA256}{53905341}{SMsrPQ==}
Jun 05, 2014 11:27:34 AM org.openid4java.consumer.ConsumerManager authenticate
INFO: Creating authentication request for OP-endpoint: http://XXXXX.XXXXX.XXX/openid claimedID: http://XXXXX.XXXXX.XXX/XXXX@XXXX OP-specific ID: http://XXXXX.XXXXX.XXX/XXXX@XXXX
Jun 05, 2014 11:27:34 AM org.openid4java.server.RealmVerifier match
INFO: Return URL: http://localhost:8090/openid/login matches realm: http://localhost:8090/openid/login
Jun 05, 2014 11:27:35 AM org.openid4java.consumer.ConsumerManager verify
INFO: Verifying authentication response...
Jun 05, 2014 11:27:35 AM org.openid4java.consumer.ConsumerManager verify
INFO: Received positive auth response.
Jun 05, 2014 11:27:35 AM org.openid4java.consumer.ConsumerManager verifySignature
INFO: Found association: {HMAC-SHA256}{53905341}{SMsrPQ==} verifying signature locally...
Jun 05, 2014 11:27:35 AM org.openid4java.consumer.ConsumerManager verifySignature
INFO: Verification succeeded for: http://XXXXX.XXXXX.XXX/XXXX@XXXX

cemerick / friend

unsuccessful user-provided OpenID auth, success depends on local time #112