I can't get OpenID to work (openid.consumer.consumer.ProtocolError: Parameter next not in return_to URL)

Question

I'm using Django-Allauth in my Django project. I added some Social Providers (Facebook, Google) and it works perfectly!

But I'm facing a problem when trying to use OpenID providers. I've been testing it with Yahoo and AOL so far, and both end up with the same error: openid.consumer.consumer.ProtocolError: Parameter next not in return_to URL.

Configuration

settings.py

Some relevant info of my project's setting.py file:

INSTALLED_APPS = [
    # Django apps
    'django.contrib.auth',
    'django.contrib.sites',
    # Allauth apps
    'allauth',
    'allauth.account',
    'allauth.socialaccount',
    'allauth.socialaccount.providers.openid',
    'allauth.socialaccount.providers.facebook',
    'allauth.socialaccount.providers.google',
    # Project apps
    'frontoffice.apps.FrontofficeConfig',
    'middleoffice.apps.MiddleofficeConfig',
]
SITE_ID = 1

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'allauth.account.auth_backends.AuthenticationBackend',
)

# Email sending
EMAIL_HOST = 'smtp.sendgrid.net'
EMAIL_HOST_USER = 'apikey'
EMAIL_HOST_PASSWORD = 'secret'
EMAIL_PORT = 587
EMAIL_USE_TLS = True

# Auth and allauth settings
ACCOUNT_AUTHENTICATION_METHOD = 'email'
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_USERNAME_MIN_LENGTH = 3

# Redirections
ACCOUNT_LOGOUT_REDIRECT_URL = '/front-office'
LOGIN_REDIRECT_URL = '/front-office'

# Email verification
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
SOCIALACCOUNT_EMAIL_VERIFICATION = 'mandatory'
ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 3  # in days
ACCOUNT_EMAIL_CONFIRMATION_COOLDOWN = 30    # in seconds

# Account signup
ACCOUNT_SIGNUP_EMAIL_ENTER_TWICE = True
ACCOUNT_SIGNUP_FORM_CLASS = 'frontoffice.forms.UserAccountForm'

# Social Accounts
SOCIALACCOUNT_AUTO_SIGNUP = False
SOCIALACCOUNT_EMAIL_REQUIRED = True
SOCIALACCOUNT_QUERY_EMAIL = True
SOCIALACCOUNT_PROVIDERS = {
    'openid': {
        'SERVERS': [
            dict(id='yahoo',
                 name='Yahoo OpenID',
                 openid_url='http://me.yahoo.com'),
        ]
    },
    'facebook': {
        'SCOPE': ['email', ],
        'METHOD': 'js_sdk',
        'INIT_PARAMS': {'cookie': True},
        'FIELDS': ['id', 'email', 'name', 'first_name', 'last_name', 'verified', 'locale', 'timezone', 'link', 'gender', 'updated_time',],
        'VERIFIED_EMAIL': False,
    },
    'google': {
        'SCOPE': [
            'profile',
            'email',
        ],
        'AUTH_PARAMS': {
            'access_type': 'online',
        }
    }
}

I'm aware some settings don't override defaults or are redundant, it just helps me remembering what behaviours I should expect.

Using OpenID Auth

Error stacktrace

As I said, I tried Yahoo OpenID (http://me.yahoo.com), both from pre-defined provider and OpenID URL, and AOL, from URL (http://openid.aol.com/myUserName). Both return the aforementionned error, here's an example stacktrace :

INFO:django.server:"GET /accounts/openid/login/?openid=http%3A%2F%2Fme.yahoo.com&process=login HTTP/1.1" 302 0
ERROR:root:Verifying return_to arguments: Parameter next not in return_to URL
Traceback (most recent call last):
  File "d:\Profiles\user\Envs\Django\lib\site-packages\openid\consumer\consumer.py", line 673, in _checkReturnTo
    self._verifyReturnToArgs(message.toPostArgs())
  File "d:\Profiles\user\Envs\Django\lib\site-packages\openid\consumer\consumer.py", line 886, in _verifyReturnToArgs
    (pair[0], ))
openid.consumer.consumer.ProtocolError: Parameter next not in return_to URL
INFO:django.server:
"GET /accounts/openid/callback/?janrain_nonce=2017-11-21T15:56:32_nonce_zu
    &next=
    &openid.ns=http://specs.openid.net/auth/2.0
    &openid.mode=id_res
    &openid.return_to=http://localhost:8000/accounts/openid/callback/?janrain_nonce=2017-11-21T15:56:32_nonce_zu
    &next=
    &openid.claimed_id=https://me.yahoo.com/a/C7dd_secret_bVtec-#784b5
    &openid.identity=https://me.yahoo.com/a/C7dd_secret_bVtec-
    &openid.assoc_handle=1P.qFXi_secret_7MP8.Cv06_secret_wEeA--
    &openid.realm=http://localhost:8000/
    &openid.ns.ax=http://openid.net/srv/ax/1.0
    &openid.ax.mode=fetch_response
    &openid.ax.value.email=jane.doe@yahoo.fr
    &openid.ax.value.fullname=Jane Doe
    &openid.response_nonce=2017-11-21T15:56:33Zd_nonce_eA--
    &openid.signed=assoc_handle,claimed_id,identity,mode,ns,op_endpoint,response_nonce,return_to,signed,ax.value.email,ax.type.email,ax.value.fullname,ax.type.fullname,ns.ax,ax.mode,pape.auth_level.nist
    &openid.op_endpoint=https://open.login.yahooapis.com/openid/op/auth
    &openid.ax.type.email=http://axschema.org/contact/email
    &openid.ax.type.fullname=http://axschema.org/namePerson
    &openid.pape.auth_level.nist=0
    &openid.sig=n/JOWn_secret_3630=
HTTP/1.1"
200 647

I put line feeds between parameters for readability.

Question

As you can see, the error message is quite self-explanatory: parameter &next= is empty.

Would anyone happen to know where things might have gone wrong? Is it provider-related, libray-related, configuration/implementation-related?

Thanks in advance!

Answer 1

It turns out that there is a bug with allauth, where not providing next in the openid login URL will result in this error. I issued a PR to address this issue, so hopefully it gets merged in at some point.

In the meantime, you have two options:

1. Use my branch with the fix (or add to requirements.txt via -e git://github.com/pydolan/django-allauth.git@fix-yahoo-openid#egg=django-allauth);
2. Always provide a value for next. For example: /accounts/openid/login/?process=login&openid=https%3A%2F%2Fme.yahoo.com&next=%2F will let you login to Yahoo with OpenID.