App Engine OpenID - I am getting a 404 error for requests to /_ah/xrds

Question

Yahoo and AOL are submitting a request to /_ah/xrds on one of my App Engine apps. My understanding is that xrds is part of the response when Providing OpenIDs. I do not intend to Provide OpenIDs. I am assuming for now that someone is trying to exploit a loophole in the OpenID system for things like spam since I have received requests from Russia on this as well. This is an area I have very little experience in so I could be incorrect in my assumptions and questions feel free to correct me.

Why are Yahoo and AOL sending requests to /_ah/xrds?

How do I respond to that request in python/webapp2 to let them know I don't provide OpenID?

Answer 1

If you could post when in the flow, this request is coming it will help debug the problem. However, the most likely explanation is that Yahoo! and AOL are trying to perform discover on the provided "realm" string to ensure that the return_to URL can be discovered from the site specified by the realm string. This is a security measure specified in sections 11.1 and 13 of the OpenID2 spec.

The normal flow for the AOL OpenID Provider is to verify the return_to URL (as per section 11.1) which performs discovery (XRDS from section 13) on the realm string. If the return_to URL can not be verified, then AOL will display a warning message to the user in the UI.

A related, more detailed description of the above flow and how to resolve can be found here: AOL openid website verification