Openid provider fails often with Steam


Steam is an idprovider that uses the legacy openid 2.0 system (not openid connect).
Quite often (but not always) the openid authentication with Steam requires multiple attempts (redirects from our app site to Steam) because the step of signature verification fails (apparently Steam closes the connection that we are using for this verification).
There is a workaround that works for Steam: retrying only the verification signature step. Note that Steam only allows stateless verification - openid associations are not supported.
This issue should include a retry of the signature verification step, preferably all from within the amdatu-security code base (no changes to the embedded openid4java library).



Marian Grigoras


Marian Grigoras