ugh, yes every provider should support check_authentication.
On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes < [email protected]> wrote: > In the OpenID Authentication 2.0 spec, the Relying Party is obligated > to use direct verification to check the signature when it does not have > the association stored. > > But is an OP required to support check_authentication? > > There are certain providers that appear to not support it, always > returning a failure. > > There are other providers that include mode as a signed attribute, > and so reject the check_authentication as having an invalid signature > (since the mode has changed). > > Can someone familiar with this comment, please? > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
