Association discovery with Steam OpenId: Required parameter missing: assoc_type

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Set http://steamcommunity.com/openid as the openid provider
2. Following the example on the tutorial, launch the discovery and association

List discoveries = manager.discover(openidprovider);

// attempt to associate with the OpenID provider
// and retrieve one service endpoint for authentication
DiscoveryInformation discovered = manager.associate(discoveries);

3. My log is filling with exceptions from the ConsumerManager

org.openid4java.message.MessageException: 0x100: Required parameter missing: 
assoc_type
at org.openid4java.message.Message.validate(Message.java:188)
at 
org.openid4java.message.AssociationResponse.validate(AssociationResponse.java:23
5)
at 
org.openid4java.message.AssociationResponse.createAssociationResponse(Associatio
nResponse.java:118)

and then I see 
WARN ConsumerManager - Association failed; using first entry: 
https://steamcommunity.com/openid/login

and all works perfectly: the user gets redirected to Steam for openid 
authentication, Steam calls the callback url correcly and the authentication 
goes fine.

What is the expected output? What do you see instead?
Why my log is full of exceptions? Ho can I stop them? Why these errors if all 
is working perfectly?
I can't simply set the log4j to ignore ERROR level for ConsumerManager!

What version of the product are you using? On what operating system?
0.9.6 from maven repository

Please provide any additional information below.
JDK 7

Original issue reported on code.google.com by e.mass...@faceit.com on 23 Feb 2013 at 10:10

[GoogleCodeExporter]

Seems like Steam does not support the default association type?
The attached patch fixes the error message to indicate what really happens, 
i.e., Steam returns some specific association error.

Original comment by frank.co...@gmail.com on 25 Mar 2013 at 3:06

Attachments:

• AssociationResponse-error-code-unsupported-type.patch

[GoogleCodeExporter]

I've have the same problems as reported by the OP.
I have not used the provided patch, but am using 0.9.7
After enabling DEBUG logging, I do see logging similar to as in the patch.

Basically it seems to create all kind of sessions with association types.
Here a part of the log with one of the assoc_types:
{{{
16:05:52,563 DEBUG [openid4java.association.AssociationSessi.              
create] Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID2
16:05:52,564 DEBUG [    openid4java.consumer.ConsumerManager.           
associate] Trying association type: DH-SHA1:HMAC-SHA1:OpenID2
16:05:52,566 DEBUG [openid4java.association.AssociationSessi.              
create] Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID2
16:05:52,567 DEBUG [openid4java.association.AssociationSessi.              
create] Session:Association Type: DH-SHA1:HMAC-SHA1:OpenID2
16:05:52,568 DEBUG [       openid4java.message.ParameterList.              
<init>] Created empty parameter list.
16:05:52,570 DEBUG [    openid4java.consumer.ConsumerManager.                
call] Performing HTTP POST on https://steamcommunity.com/openid/login
16:05:52,572 DEBUG [              openid4java.util.HttpCache.                
post] Performing HTTP POST on https://steamcommunity.com/openid/login
16:05:53,129 DEBUG [              openid4java.util.HttpCache.     
getResponseBody] Read 97 bytes.
16:05:53,131 DEBUG [       
openid4java.message.ParameterList.createFromKeyValueFo] Creating parameter list 
from key-value form:
ns:http://specs.openid.net/auth/2.0
error_code:unsupported-type
error:Associations not supported

16:05:53,133 DEBUG [       openid4java.message.ParameterList.              
<init>] Created empty parameter list.
16:05:53,134 DEBUG [       openid4java.message.ParameterList.              
copyOf] Copying parameter list:
ns:http://specs.openid.net/auth/2.0
error_code:unsupported-type
error:Associations not supported

16:05:53,137 DEBUG [    openid4java.consumer.ConsumerManager.                
call] Retrived response:
ns:http://specs.openid.net/auth/2.0
error_code:unsupported-type
error:Associations not supported
}}}

At the end, this is the assoc_type that succeeds:
{{{

16:05:54,519 DEBUG [     openid4java.association.Association.              
<init>] Creating association, type: null handle:   expires: Mon Apr 29 16:10:54 
CEST 2013
16:05:54,521 DEBUG [openid4java.consumer.InMemoryConsumerAss.                
save] Adding association to the in-memory store:   with OP: 
https://steamcommunity.com/openid/login
16:05:54,523 WARN  [    openid4java.consumer.ConsumerManager.           
associate] Association failed; using first entry: 
https://steamcommunity.com/openid/login
16:05:54,525 INFO  [    openid4java.consumer.ConsumerManager.        
authenticate] Creating authentication request for OP-endpoint: 
https://steamcommunity.com/openid/login claimedID: 
http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: 
http://specs.openid.net/auth/2.0/identifier_select
16:05:54,528 DEBUG [       openid4java.message.ParameterList.              
<init>] Created empty parameter list.
16:05:54,529 DEBUG [        openid4java.server.RealmVerifier.               
match] Verifying realm: http://localhost:8084/OpenIdTest/steam.xhtml on return 
URL: http://localhost:8084/OpenIdTest/steam.xhtml
16:05:54,531 INFO  [        openid4java.server.RealmVerifier.               
match] Return URL: http://localhost:8084/OpenIdTest/steam.xhtml matches realm: 
http://localhost:8084/OpenIdTest/steam.xhtml
16:05:54,534 DEBUG [         openid4java.message.AuthRequest.   
createAuthRequest] Created auth request:
openid.ns:http://specs.openid.net/auth/2.0
openid.claimed_id:http://specs.openid.net/auth/2.0/identifier_select
openid.identity:http://specs.openid.net/auth/2.0/identifier_select
openid.return_to:http://localhost:8084/OpenIdTest/steam.xhtml
openid.realm:http://localhost:8084/OpenIdTest/steam.xhtml
openid.mode:checkid_setup}}}

If we could configure it correctly for Steam directly, it not only not clutters 
the logs but it also is faster as it doesn't have to do all the call that will 
fail.

Original comment by marco.de...@gmail.com on 29 Apr 2013 at 2:46

[GoogleCodeExporter]

Seems like Steam's OpenID service is using Stateless-mode.
Openid4java can be set to stateless by setting the maximum association attempts 
to 0:

manager = new ConsumerManager();
manager.setMaxAssocAttempts(0); // triggering stateless mode, needed for Steam

Original comment by marco.de...@gmail.com on 30 Apr 2013 at 11:43

[GoogleCodeExporter]

Hi! I had the same issue with getting Steam to work with openid4java, setting 
assocAttemtps to 0 did help. However, I'm still getting an exception from 
AxMessage.getExtension. Here's the full stack trace:
http://pastebin.com/gXXK25d5

And the source that does the OpenID stuff (I'm using Scala with Play 2.2)
https://github.com/GyrosOfWar/a-z-challenge-log/blob/master/app/controllers/Auth
entication.scala

Do I need to set any AxMessage for my request? I'm still very new to OpenID and 
I can't find any helpful resources on this topic. 

Original comment by martin.t...@gmail.com on 20 Nov 2013 at 11:10

[GoogleCodeExporter]

assoc_type is required in positive association responses; if a provider doesn't 
support associations it should respond with an association error: direct error 
message / http status code 400, per:
http://openid.net/specs/openid-authentication-2_0.html#anchor21 
http://openid.net/specs/openid-authentication-2_0.html#anchor8

Steam OP is likely not responding with a correct association error.

Original comment by Johnny.B...@gmail.com on 20 Nov 2013 at 11:55

[GoogleCodeExporter]

Martin: the stack trace indicates that the OP you're interacting with does send 
a AX response, however an invalid one. 

And the Authentication controller requires a valid AX response, since its 
policy seems to be to use the email attribute from the openid/ax response as 
the authenticated username - so no way around it that I can see except the OP 
fixing their AX responses.

Original comment by Johnny.B...@gmail.com on 21 Nov 2013 at 12:11

[GoogleCodeExporter]

Thank you very much for your quick response! I've found a workaround in the 
meanwhile, I've completely ignored all Attribute Exchange stuff and I'm 
fetching all the user data through the Steam API, which works because you get 
the user's Steam ID through his OpenID. 

Original comment by martin.t...@gmail.com on 21 Nov 2013 at 5:07