OpenID module not working

The exact order of operations (per my previous post) are as follows:
(1) User comes to drupal 6.10 site.
(2) OpenID is selected as an auth method.
(3) User successfully authenticates against the external OpenID site (in my case, http://www.myopenid.com).
(4) User is directed to a "page not found" message on the drupal 6.10 site.

I wanted to break this down very carefully to isolate the issue.

In general, without even trying to log in, navigating to http://domain.com/openid generates 404 and this is where the problem is. It's not related to myOpenID or any specific OpenID provider.

I too have the same issue with openid and I use drupal 12. when user login with openid url, he is redirected to a "page not found" error page.

Has someone found any solution?

I too have the same issue with openid and I use drupal 12. when user login with openid url, he is redirected to a "page not found" error page.

Has someone found any solution?

PS: My apology for the repeated comment. I am not sure how it happened twice.

I experience this problem on my live site, but not on my test site. My live site is hosted at Hostgator.com. My test site runs on Ubuntu on an old PC.

I ran the PHP reports on both sites and compared them with diff. Two differences that may (or may not) impact this issue are:

magic_quotes_gpc

Live: On
Test: Off

session.cookie_domain

Live: .pinballclicks.com
Test: test.pinballclicks.com

Searching here at drupal.org, I found several similar reports—all unresolved:

• May 1, 2009 Open id module does not working- Please help: Another 404/403 report.
• May 2, 2009 OpenID redirects back to login: Could not log in. Tried suggestion to add user 0 into Users table, with no improvement.
• May 25, 2009 OpenID Identity "user@domain" results in unecessary HTTP Authentication Basic Header: Drupal sends basic auth info to OpenID provider. Patch failed tests.
• July 3, 2009 Openid module not working: Getting page not found error: Was getting 404 page not found. Added 403 error document to .htaccess. Now sees 403 error page, but still cannot login.
• July 15, 2009 OpenId not working with the Domain: Works in sandbox, not on live site. Closed with no resolution.

Drupal's OpenID module apparently works on some sites, including my test site and the sandbox site reported on July 15. OpenID does not work on some other sites.

I suspect that some PHP configuration difference impacts whether OpenID works or not.

Hi,

i too face the similar issue. any temporary fix?

@nkolev, there's no openid path on Drupal, the fact that it returns a 404 is therefore by design.

What happens if you access http://example.com/openid/authenticate ? Do you get a 404, or are you redirected to the frontpage with the message "Authentication failed"?

Hi @Heine,

i get "Page not found" page.

when i give my open id and click the login button, open id authentication happens and i was redirected to

http://example.com/openid/authenticate with open id values in query string.

how to fix this?

Please login as admin, and visit admin/build/modules. Then logout and try to access the openid/authenticate path again (http://example.com/openid/authenticate again).

Heine,

thank you for quick reply.

i checked. i got the message as "OpenID login failed."

but i cannot login using the openID. when i try login using open id, after open id auth, its getting redirected to "Page not found" page.

http://demo.ilugc.in/ is the site. can you check?

also i have registered as a site user. i cannot associate my OpenID with user account. i am redirected to "Page not found" page

Thank you for the link.

Are you running mod_security? Your server somehow refuses to accept any request with the strings http://, https:// or ftp:// as part of query values.

Moving to support request.

Heine,

i think i have disabled the mod_security via htaccess as of now. still it isnt working.

moving back to bug report

Are you sure mod_security is disabled?

Your server still does not accept http:// in query values.

@Thomas Ash: your server also doesn't accept the string "http://" in query variables. Please check if you are running mod_security.

And downgrading as a server configuration issue.

Heine,

i agree that it is a server configuration issue. but drupal hasnt given any message about it.

instead of giving a message, it redirects to 404. is it correct way? usability for the user is very difficult to figure out.

can we change that?

also, how do i disable the mod security? disabling it wont create any security related issue?

whats the alternative?

If mod_security interferes with normal request processing, Drupal cannot know about it, as it comes much later in the processing chain. It is mod_security that throws the 404 (or whatever error code it decides to use this time).

Please ask your host to disable mod_security or disable the rule that causes this issue (Likely an anti-remote file inclusion rule). You can find out what rule causes the issue by viewing the mod_security audit log.

For mod_security Core rules set 2.0.2, it is likely one of the RFI rules in base_rules\modsecurity_crs_40_generic_attacks.conf.

The rule of thumb is: If you run mod_security, and you see mysterious 404, 500 or whatever errors, the cause is likely mod_security (eg see Mysterious 403, 404, 406, 500 or "Page not found" errors depending on submitted content).

I'll add a page on openid + mod_security to the troubleshooting faq.

Thanks, Heine, for explaining the cause of the 404 errors and writing the troubleshooting FAQ page, Page not found error upon returning from the OpenID Provider.

With your explanation, it is much easier to find similar problem reports and solutions. For example, this report describes OpenID logins failing on a Wordpress site hosted by HostGator. Their solution was the same as Heine's: ask the web hosting company to whitelist the domain for the mod_security rule causing the issue.

Drupal 6.14

This is a full blown issues, folks. Anybody know how to escalate it?

Tried pasting

#drupal exclusion rule

SecRuleRemoveById 1234234
SecRuleRemoveById 340153

Threw an 'internal server error'

Can you paste your htaccess code? We're dyin here. :)

@GarryEgan, it's best to contact your host.

the solution is either:
a) ask your hosting provider to disable mod_security for your website (not secure)
b) ask your hosting provider to disable mod_security rules 1234234, 340151, 340153, 340163 (less not secure)
c) or patch Drupal core like I did in:
http://www.gerixsoft.com/blog/drupal/openid-page-not-found
works on HostGator w/o mod_security customizations.