Comment 4 for bug 510866

This particular error message is only generated in one instance by the python-openid library: when the OpenID authentication process is being completed and the provider passes control back to us, it includes an "openid.response_nonce" parameter. If our code thinks it has seen that nonce from the provider, then it treat the message as a replay attack and give that error.

The nonce is generated by the OpenID Provider as the current time in UTC (down to second accuracy) with 6 characters of random data.

On our end, we accept the nonce if the timestamp is within 5 hours of the current time and we haven't seen the (timestamp, random data) pair before. The code in django-openid-auth used to store nonces in the DB has not changed since 2008, so I don't think it would be the problem.

I asked one of our sysadmins if there had been any obvious clock skew problems. He said there wasn't any evidence of anything that scale, so I'm now getting some log excerpts that might help shed some light on the issue.