Hi Nat,
Am 24.09.2014 15:49, schrieb Nat Sakimura:
...
"There could be an attack by a malicious RP to obtain the user’s
PPID for another RP to perform identity correlation. To mitigate
the risk, the OP MUST verify that the realm and RP’s Redirect URI
matches as per Section 9.2 of OpenID 2.0 [OpenID.2.0]."
I'm not sure what this means. Does it mean the RP's XRDS document
must contain the RP’s Redirect URI (a OAuth/OIDC redirect_uri)? If
so, is the RP supposed to use a certain service Type or
"http://specs.openid.net/auth/2.0/return_to";
<http://specs.openid.net/auth/2.0/return_to>?
Example:
<Service xmlns="xri://$xrd*($v*2.0)">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://consumer.example.com/return</URI>
</Service>
It just means that openid2_realm MUST be (roughly) a substring of
OpenID Connect/OAuth's Redirect URI. No XRDS is involved. Exact rule
of the matching is given in Section 9.2 of OpenID 2.0.
It's probably nitpicking, but the OIDC redirect_uri must be matched
using the rules given in Section 9.2 of OpenID 2.0 instead of the OpenId
2.0 return_to URI, correct?
best regards,
Torsten.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
