ConsumerManager.verify () fails with "No service element found according to the ClaimedID / OP endpoint in the statement."

Question

ConsumerManager.verify () fails with "No service element found according to the ClaimedID / OP endpoint in the statement."

I am trying to implement openid authentication in a JSF2 application and everything seems to work fine until the moment the application needs to check the openid server response (in my case stackexchange).

I already checked the openid4java source for debugging and tracking the problem, but I can not find the reason why it fails. The code is based on sample code from the openid4java website.

first create a query like this:

if (getManager() == null) { setManager(new ConsumerManager()); } try { // perform discovery on the user-supplied identifier List discoveries = getManager().discover(getOpenIdIdentifier()); // attempt to associate with the OpenID provider // and retrieve one service endpoint for authentication DiscoveryInformation discovered = getManager().associate(discoveries); // store the discovery information in the user session for later use // leave out for stateless operation / if there is no session ((HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false)).setAttribute("discovered", discovered); // obtain a AuthRequest message to be sent to the OpenID provider AuthRequest authReq = getManager().authenticate(discovered, RETURN_URL); FetchRequest fetch = FetchRequest.createFetchRequest(); fetch.addAttribute("email", "http://schema.openid.net/contact/email", true); // attach the extension to the authentication request authReq.addExtension(fetch); FacesContext.getCurrentInstance().getExternalContext().redirect(authReq.getDestinationUrl(true)); } catch (Exception ex) { ex.printStackTrace(); }

I am redirected to https://openid.stackexchange.com/ , I use my email and pw to log in, and stackexchange redirects me back to RETURN_URL, where the following servlet is waiting:

 protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { User u = ((User) request.getSession().getAttribute("user")); response.setContentType("text/html;charset=UTF-8"); // extract the parameters from the authentication response // (which comes in as a HTTP request from the OpenID provider) ParameterList openidResp = new ParameterList(request.getParameterMap()); // retrieve the previously stored discovery information DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute("discovered"); // extract the receiving URL from the HTTP request StringBuffer receivingURL = request.getRequestURL(); String queryString = request.getQueryString(); if (queryString != null && queryString.length() > 0) { receivingURL.append("?").append(request.getQueryString()); } // verify the response try { VerificationResult verification = u.getManager().verify(receivingURL.toString(), openidResp, discovered); // here is where ERROR ConsumerManager:1740 - No service element found to match the ClaimedID / OP-endpoint in the assertion. happens Identifier verifiedId = verification.getVerifiedId(); if (verifiedId != null) {// success, use the verified identifier to identify the user AuthSuccess authSuccess = (AuthSuccess) verification.getAuthResponse(); if (authSuccess.hasExtension(AxMessage.OPENID_NS_AX)) { FetchResponse fetchResp = (FetchResponse) authSuccess.getExtension(AxMessage.OPENID_NS_AX); String email = (String) fetchResp.getAttributeValues("email").get(0); u.autoAuthByEmail(email); response.sendRedirect("/"); } } else {// OpenID authentication failed u.setLoggedIn(false); response.getOutputStream().print("auth failed. <a href=\"/\">home</a>"); } } catch (Exception e) { e.printStackTrace(); } }

this is what i get in server.log (RETURN_URL replaced by mydomain.org):

 [#|2011-11-29T12:20:16.117+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,116 INFO Discovery:143 - Starting discovery on URL identifier: https://openid.stackexchange.com/|#] [#|2011-11-29T12:20:16.119+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,119 INFO HttpCache:316 - Returning cached HEAD response for https://openid.stackexchange.com/|#] [#|2011-11-29T12:20:16.121+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,120 INFO HttpCache:117 - Returning cached GET response for https://openid.stackexchange.com/xrds|#] [#|2011-11-29T12:20:16.145+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,145 INFO YadisResolver:264 - Yadis discovered 1 endpoints from: https://openid.stackexchange.com/|#] [#|2011-11-29T12:20:16.147+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,147 INFO Discovery:164 - Discovered 1 OpenID endpoints.|#] [#|2011-11-29T12:20:16.149+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,148 INFO ConsumerManager:705 - Trying to associate with https://openid.stackexchange.com/openid/provider attempts left: 4|#] [#|2011-11-29T12:20:16.152+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,151 INFO ConsumerManager:714 - Found an existing association: {634581615862250013}{M+QESA==}{32}|#] [#|2011-11-29T12:20:16.154+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,153 INFO ConsumerManager:1063 - Creating authentication request for OP-endpoint: https://openid.stackexchange.com/openid/provider claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select|#] [#|2011-11-29T12:20:16.156+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,155 INFO RealmVerifier:282 - Return URL: http://mydomain.org/openid matches realm: http://mydomain.org/openid|#] [#|2011-11-29T12:20:16.679+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,679 INFO ConsumerManager:1121 - Verifying authentication response...|#] [#|2011-11-29T12:20:16.680+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,680 INFO ConsumerManager:1145 - Received positive auth response.|#] [#|2011-11-29T12:20:16.681+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,681 INFO Discovery:143 - Starting discovery on URL identifier: https://openid.stackexchange.com/user/2d34c1da-cca8-4095-83be-eee02722879b|#] [#|2011-11-29T12:20:16.682+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,682 INFO HttpCache:316 - Returning cached HEAD response for https://openid.stackexchange.com/user/2d34c1da-cca8-4095-83be-eee02722879b|#] [#|2011-11-29T12:20:16.683+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,682 INFO HttpCache:117 - Returning cached GET response for https://openid.stackexchange.com/xrds|#] [#|2011-11-29T12:20:16.704+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,704 INFO YadisResolver:264 - Yadis discovered 1 endpoints from: https://openid.stackexchange.com/user/2d34c1da-cca8-4095-83be-eee02722879b|#] [#|2011-11-29T12:20:16.706+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,706 INFO Discovery:164 - Discovered 1 OpenID endpoints.|#] [#|2011-11-29T12:20:16.707+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,707 ERROR ConsumerManager:1740 - No service element found to match the ClaimedID / OP-endpoint in the assertion.|#] [#|2011-11-29T12:20:16.709+0100|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=46;_ThreadName=Thread-2;|12:20:16,708 ERROR ConsumerManager:1164 - Discovered information verification failed.|#]