I'm working on an application allowing users to sign in and register using Google and Yahoo through OpenID using ASP.NET MVC4, and the DotNetOpenAuth library. Google is working fine, and Yahoo was working fine for a few months as well until a few days ago.
For some reason, using my local version of IE 11, after authenticating with Yahoo, two responses are sent back to the web server, and each is validated in its own separate thread. One response is determined to be valid, and the other response is determined to be invalid because the first response is already validated. The responses are then sent back to the user, and depending on which one is sent first, two very different outcomes can occur.
Using Chrome and Firefox works correctly. Yahoo is returning only one response. Using different versions of IE on other machines (including 11) work correctly as well. Using fiddler, I've verified that the correct requests are being sent out. I've tried clearing my cache, disabling any addons, and changing document and browser modes using the dev tools, and no luck. Is there anything that can be causing two responses to be sent back?
The basic code to send the request is below. The config file is using all default values.
OpenIdRelyingParty openid = new OpenIdRelyingParty();
IAuthenticationRequest request = openid.CreateRequest(Identifier.Parse("https://me.yahoo.com"));
var fields = new ClaimsRequest();
fields.Email = DemandLevel.Require;
It turns out that the problem was that I was sending a request to tell Yahoo to redirect back to an unencrypted connection after authentication. If I tell Yahoo to return to an https url, rather than http, everything works correctly, and I only get one request coming back to the application.