Sometimes when I try to login (to edit a page) here then I can see the following error message:

Error: OpenID failure: time_bad_sig:

Please note that authorization process successes on OpenID server side.

It occurs both for getopenid.com and myopenid.com servers I use.

I'm reporting this, but I'm not sure whether a problem is with your ikiwiki or my OpenID servers. --Paweł

I've seen this too, once or twice (using myopenid), and reauthenticating fixed it -- so I can't reproduce it reliably to work on it. I think I've seen it both on this wiki and on the one running on my laptop.

The perl openid client module seems to fail with time_bad_sig if the time in the signature from the other end is "faked". I'm not 100% sure what this code does yet:

# check age/signature of return_to
my $now = time();
{
    my ($sig_time, $sig) = split(/\-/, $self->args("oic.time") || "");
    # complain if more than an hour since we sent them off
    return $self->_fail("time_expired")   if $sig_time < $now - 3600;
     also complain if the signature is from the future by more than 30 seconds,
    # which compensates for potential clock drift between nodes in a web farm.
    return $self->_fail("time_in_future") if $sig_time - 30 > $now;
    # and check that the time isn't faked
    my $c_secret = $self->_get_consumer_secret($sig_time);
    my $good_sig = substr(OpenID::util::hmac_sha1_hex($sig_time, $c_secret), 0, 20);
    return $self->_fail("time_bad_sig") unless $sig eq $good_sig;
}

At least it doesn't seem to be a time sync problem since the test for too early/too late times have different error messages.. --Joey

I've had this problem too, but with my track record of reporting OpenID bugs I thought it best if I held my tongue. I usually experience this the first time I sign in on any ikiwiki installation of {ikiwiki.kitenet, ikidev, betacantrips}, and I think re-logging in always works. --Ethan

Does seem easier to repro than I thought. Ok, fixed it.. done --Joey (reopened for new instance of same error message below)


the return of the nasty bug

Hmmmmm, looks like it is not entirely fixed. I am getting it on my own blog. Just upgraded to 3.20110430, same same. I am using custom openid with redirection to myopenid.com. Please tell me if you need more info. The same openid worked fine to login to this site to post this. -- Anton

Well, this bug is from 2007. Probably you are not encountering the same bug.

I also have a openid delegation to myopenid, and I can reproduce the problem when logging into your site.

What version of the Net::OpenId::Consumer perl library do you have installed? --Joey

It is the latest version from FreeBSD's ports collection, which happens to be a slightly patched up variant of an "unauthorized" CPAN release 1.06

Do you think it might be a good idea to try with 1.03 or with an unpatched 1.06? -- Anton

Absolutely. --Joey

1.03 fails with "Error: login failed, perhaps you need to turn on cookies?" (needless to say cookies are enabled).
Unpatched 1.06 fails with "Error: login failed, perhaps you need to turn on cookies?".
1.03 with the same patch fails with "Error: OpenID failure: time_bad_sig:" -- Anton.

Investigation revealed it was a bug in the freebsd patch, which I understand is going to be dealt with. done --Joey

I am getting the same error here with ikiwiki 3.20120629 (wheezy). I had trouble with ikiwiki-hosting configurations of OpenID, basically related to the openid_realm parameter - which I had to comment out. But now it seems to fail regardless. --anarcat

Nevermind, this was because I was blocking cookie on the CGI (!!). Message could be improved though, it's not the first time i stumble upon this... --anarcat