Yubico Forum

I'm curerntly trying to figure out wherte I can use my very neat little Yubico key (besides this forum, of course).

Facebook says they allows OpenID, so I decided to give that a whirl. It redirects me to the Yubico auth server, where I get this message:



I've tried various strings in the upper box (no green 'y') but Facebook ends up telling me the authorization was cancelled. Comparing the URL to a working OpenID test service, I see that they're missing a "openid.trust_root" parameter, which I think might be the "RP" part of the error messages. Those URLs:

Facebook, non-working: http://openid.yubico.com/server.php?ope ... oc_handle={HMAC-SHA1}{4a406677}{88qwlg%3D%3D}&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.facebook.com%2F&openid.return_to=https%3A%2F%2Fwww.facebook.com%2Fopenid%2Freceiver.php%3Frequest_id%3D2%26provider_id%3D1039216355268%26context%3Dlink%26protocol%3Dhttps&openid.sreg.optional=postcode%2Ccountry%2Clanguage%2Ctimezone&openid.sreg.required=fullname%2Cemail%2Cdob%2Cgender&openid.ui.lang=en-US&openid.ui.mode=popup

Test service, working: http://openid.yubico.com/server.php?ope ... oc_handle={HMAC-SHA1}{4a491c72}{tY2vVQ%3D%3D}&openid.identity=http%3A%2F%2Fopenid.yubico.com%2Fserver.php%2Fidpage%3Fuser%3Dccccccccekbl&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fcheckup%2FTestCheckidSetup%2F%3Faction%3Dresponse%26attempt%3D1%26nonce%3DkDd5Eds3&openid.trust_root=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fcheckup%2FTestCheckidSetup%2F

Is there any way I can tweak the request URL to get my yubico key working on Facebook?

I found a way to make this work.

The yubico webpage that asks for the "name you wish to use" has the idSelect tag outside of the form tags. They should really fix that, BUT while on the page, if you view source, copy the source of that page into a new local html page, move the tag, <input type="text" name="idSelect" />, into the <form></form> tags, change the URL to your local file, put your key id into that field and then enter your yubikey, the process WILL work!

You sir, are pure gold. Thank you! I'm planning to try this tonight.

Hi,

I tried this, using Firebug to edit the HTML on page rather than saving to a local file. So the input was moved inside the form. Then I provided 12 characters of my yubikey, generated a OTP which submitted the form.

Facebook seems to have accepted yubico as an OpenID provider - it shows under settings / account settings / linked accounts

BUT... if I am logged out of Facebook I still have to enter my old fashioned username and password, there doesn't seem to be a front-panel option to login with OpenID. I am logged in with Yubico OpenID (according to the yubico site) but Facebook doesn't recognise it. Does this mean Facebook isn't really useful with OpenID?

-Cam

I'm having trouble finding that page -- both on the Yubico server as well as my personal OpenID server. It's not my ID page, right? That source:



My server.php source:

Found it: the error is in the lib/render/trust.php file.. found in /examples/servers/lib/render/ in the default yubico-php server package. For reference, a fixed version is attached.

Of course, now Facebook validates my OpenID server but doesn't recognize the cookies..

From the Facebook developer wiki:



On the discussion page for known OpenID issues:



Is it possible Yubico/yubico-php isn't OpenID 2.0 compliant?

I think I figured out the problem. checkid_immedate calls aren't working, and they need to work for Fb to validate an OpenID. More than that, we're working with OpenID 1.0.

This diagnosis tool shows failures in Cancel checkid_setup, Successful checkid_immediate, Cancel checkid_setup (dumb mode), Successful checkid_immediate (dumb mode)

This tool shows it's OpenID version 1:

PHP-OpenID supports 2.x, but I guess the Yubico mod does not.