I’m in the middle of creating what I now call “XTA2″, which involves extending the CodeIgntier Tank Auth library. The extension task includes plugging in other 3rd party authentication mechanisms like Facebook, Twitter, Google Friend Connect, OpenID (e.g. Google and Yahoo).
Well, I’m at the end of my troubles with OpenID and I think I am close to finishing this off so I can release it. But I have found a rather funny interesting error and I thought I should write down the solution, which would hopefully help me in the future.
The error occurs when a user types in their username and password and the OpenID authenticates by returning an OpenID authentication URL (which could be rather long). I am using Light OpenID package, and the error happens in the following part of the code.
$lightopenid = new Lightopenid;
$lightopenid->identity = ‘https://www.google.com/accounts/o8/id’;
$lightopenid->required = $required_attr;
The actual error is that you will either get 403 error, which says “Access Denied” or “Permission not given” or something along the lines of “You don’t have the right access privilege to get this page”. And if you reached this far with your effort, then know that you have done everything right and the error is happening because of Apache module issue.
In the OpenID authentication URL, there are several URLs included and in Apache, you can block these URLs in the query string with mod_security module. Many of the shared hosting servers set this feature (and for a right reason I am sure) and if that is your case, you will see this error.
My hosting company was Hostgator and I have told them of the problem and they have kindly whitelisted my URL so that this error doesn’t occur any longer. If you are running of VPS or your own server, then I’m pretty sure you wouldn’t see this error.
I was able to track this problem down, thanks to this post on Stackoverflow : http://stackoverflow.com/questions/4696234/lightopenid-forbidden-when-redirecting-back