8.5. Appendix 6 – Examples and Solution of Error Messages

The following article describes the most common error messages that can occur during the implementation of MojeID. The text also provides recommendations on how to solve the issues or what to focus on.

8.5.1. Error Messages on Test Instance

The errors are rendered directly form the used libraries. The most important ones are described here:

  • “Error parsing document as XML” and “Not a XRDS document” – Both mean there is an invalid XRDS document. This message usually describes a problem in an XRDS document with an invalid XML code (usually because it contains nonstandard unicode characters). It is possible to check the source code at http://www.xmlvalidation.com and find out where the error is.

  • “No XRD present in tree” – the XRDS document has no XRD element. Check the contents of the XRDS document (see the xrds). Mind also the case of the letters inside tags!

  • “HTTP Response status from identity URL host is not 200. Got status XXX” – a query for realm or an XRDS document returned a different HTTP status code than 200.

  • Errors from cURL are in form of „(XX, …)“, where XX is the number of the error from the list of libcURL errors (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

8.5.2. Problems Verifying the Return Address

When the verification of the service’s return address fails, the user is shown one of the following messages based on the phase in which the negative outcome occured:

  1. If the connection with a service failed

“Nelze ověřit důvěryhodnost služby, kam se přihlašujete přes MojeID. Buďte zvláště obezřetní při předávání údajů z MojeID této službě.”
“We can not validate authenticity of the service where you want to login with MojeID. Use extra caution when handing over the data from MojeID.”

This message is displayed when a query for realm or an XRDS document returns a HTTP status code 4xx or 5xx. If that is not the case, the message can describe a certificate issue when using HTTPS.

For HTTPS to work correctly, it is necessary to have a valid certificate that you can get from a certification authority (see also Problems with Unencrypted Connection). You also need a so-called intermediate certificates, so that the XRDS document is searched for. The server certificate has to be set up correctly, e.g. on an Apache server, intermediate certificates are set up using the SSLCertificateChainFile directive or SSLCertificateFile (see documentation for setting up SSL in Apache.

A list of certification authorities supported by MojeID can be found at https://wiki.mozilla.org/CA/Included_Certificates

When troubleshooting issues with SSL and certificates, you can use direct tools, such as wget or curl programs, or a mechanism of a used library, that can detect issues better than common browsers.

  1. If the connection with a service was successful, but the validation of the return address failed

“Tento požadavek na přihlášení přes MojeID o sobě tvrdí, že přichází z jiné stránky, než tomu ve skutečnosti je. Zvažte, zda vůbec chcete pokračovat s předáváním údajů z vašeho MojeID.”
“This MojeID login request claims to be from other site than it really is. Consider carefully whether you want to continue with handing over the data from your MojeID.”

Return address verification can fail due to the following reasons:

  • Realm did not return HTTP status 200.

  • There is no XRDS document on the realm, therefore the service cannot be verified. The XRDS document has to be placed on the realm in one of the three following ways:

    • The XRDS document can be placed directly in the HTTP header,

    • the XRDS document can be saved directly at the address of the realm (sent directly in the response),

    • the location can be described in the HTML header in a META tag.

  • A redirection occurred during the downloading of the XRDS document.

  • When the address return_to in an OpenID request does not match the address return_to in the XRDS document. The return_to address from an OpenID request can contain only several additional parameters, the so-called query string, not a subdirectory in a path.

  • When the address return_to in an OpenID request “is not an extension” of the address of the realm.

The term address A “is an extension” of address B means that:

  • the protocol is the same.

  • the domain is the same or also contains a subdomain if the domain B starts with *.,

  • the port is the same,

  • the path is the same or contains a subdirectory, and

  • query string (?key=value&key2=value2) is the same or with additional parameters.

Examples: the address A “is an extension” of the address B

Claim validity

Address A

Address B

yes

https://example.com/hello/

https://example.com/hello/

no

http://example.com/hello/

https://example.com/hello/

no

https://example.com:8080/hello/

https://example.com/hello/

yes

https://example.com/hello/hi/

https://example.com/hello/

no

https://example.com/hello/

https://example.com/hi/

no

https://example.com/hello/

https://example.com/hello/hi/

yes

https://example.com/hello/?key=value

https://example.com/hello/?key=value

yes

https://example.com/hello/?key=value&key2=value2

https://example.com/hello/?key=value

no

https://example.com/hello/?key=value

https://example.com/hello/?key=value&key2=value2

yes

https://subdomain.example.com/hello/?key=value

https://*.example.com/

  1. If it is not possible to manage the URL service’s area in MojeID

“Tento realm není dobře definovaný a nelze k němu nastavit důvěru.”
“This realm is not sane and thus you can not set trust for it.”

Check that your realm (described in the identity verificatin request) does not contain an IP address, characters not supported in URL, or a URI fragment. See also realm.

8.5.3. Problems with Unencrypted Connection

Your browser might display the following message when redirecting back to your website:

“Informace, které jste zadali, budou odeslány přes nezašifrované spojení a mohly by jednoduše být přečteny třetí stranou. Určitě chcete pokračovat v odesílání?”
“The information you have entered will be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending it?”

Note

This message comes from Firefox and it will probably look a little different in other browsers.

This message can appear at all realms without HTTPS. The data that are handed over (i.e. user’s personal information too) travel through the internet unencrypted and the browser says it leaves encrypted MojeID website towards a service that does not use encryption. We do not recommend the unencrypted protocol (HTTP), but it is possible to use it.

This issue can be solved easily by using a basic SSL certificate that can be downloaded for example here: https://letsencrypt.org/. The certificate secures your data transfer and at the same time, you see the level of authentication of the user.

8.5.4. Selecting Required Logging Method

The required login method is selected by placing the identifier of the given login method into the identity verification request. The MojeID service supports not only the common login by password, but also login by a digital certificate or a one-time password (OTP).

  • When loging in using a certificate, the following message is displayed:

    “Poskytovatel služby požaduje přihlášení certifikátem.”
    “The service provider wants you to login with your certificate.”

  • When logging in using a one-time password or an authenticator, the following message is displayed:

    “Poskytovatel služby požaduje přihlášení jednorázovým heslem nebo MojeID Autentikátorem.”
    “The service provider wants you to login with one time password or MojeID Autentikátor.”

  • When logging in using a security key, the following message is displayed:

    “Poskytovatel služby požaduje přihlášení druhým faktorem.”
    “The service provider wants you to login with two-factor authentication.”

Method identifiers and an example of a request with requesting a login method can be found in the implem-oid2-zadost-overeni section.

8.5.5. Problems with Library for PHP

One of the most common error messages is “FAILED TO CREATE AUTH REQUEST: not a valid OpenID” and “Ověření OpenID selhalo: No OpenID information”.

Some errors might be caused by a wrong configuration of your server. You can try to fix them in the following way:

  • You need to make sure that the cURL for the given PHP version is installed, active (phpinfo should say so) and that the cURL is not disabled in php.ini.

  • It might also be necessary to check the /etc/php5/conf.d/curl.ini for a line extension=curl.so and add it if it is not there.

  • Download and install the newest version of cURL, see also https://curl.haxx.se/download.html.

We also recommend downloading and getting familiar with sample implementation in PHP.

8.5.6. Error Messages in JSON (OIDC)

Error messages contain the error code in form of an ASCII string under the error key. A human readable error description should be found in a JSON response under the error_description key.

MojeID can return the following error codes:

Error Code

Possible Causes

unauthorized_client

Wromg client_id, wrong client_secret, incorrectly used authentication.

invalid_request

Missing required parameters, one or more parameters unreadable/unparseable.