One common OpenID issue arises when you are attempting to perform discovery on an OpenID provider endpoint and have to construct a redirect URL (where to send the end user after she has authenticated) built off a trust root (the current root of the application) and the callback (where to send the end user).
The OpenID domain verification process is quite strict for most providers, requiring an exact match to the root domain. For instance, the following domains will not match:
If there is a callback URL mismatch, you will be presented with something along the lines of Figure 11-8.
Figure 11-8. Example of callback URL mismatch error screen
You will need to ensure that there is a direct domain match when building your redirect URL (i.e., that the domain that you are constructing the callback from matches the current domain that the user is on).
While this is a common issue for new users of OpenID, it can be remedied quickly if you simply ensure that there is an exact domain match between the trust root and the callback to which you will forward the end user after authentication.