Nat, should this comment result in an editorial correction to the draft before it’s republished?
From: Torsten Lodderstedt [mailto:[email protected]] Sent: Saturday, October 04, 2014 8:12 AM To: Nat Sakimura Cc: Mike Jones; [email protected] Subject: Re: Review of Proposed Implementer’s Draft of OpenID 2.0 to OpenID Connect Migration Specification Hi Nat, Am 24.09.2014 15:49, schrieb Nat Sakimura: ... "There could be an attack by a malicious RP to obtain the user’s PPID for another RP to perform identity correlation. To mitigate the risk, the OP MUST verify that the realm and RP’s Redirect URI matches as per Section 9.2 of OpenID 2.0 [OpenID.2.0]." I'm not sure what this means. Does it mean the RP's XRDS document must contain the RP’s Redirect URI (a OAuth/OIDC redirect_uri)? If so, is the RP supposed to use a certain service Type or "http://specs.openid.net/auth/2.0/return_to";<http://specs.openid.net/auth/2.0/return_to>? Example: <Service xmlns="xri://$xrd*($v*2.0)"> <Type>http://specs.openid.net/auth/2.0/return_to</Type> <URI>http://consumer.example.com/return</URI> </Service> It just means that openid2_realm MUST be (roughly) a substring of OpenID Connect/OAuth's Redirect URI. No XRDS is involved. Exact rule of the matching is given in Section 9.2 of OpenID 2.0. It's probably nitpicking, but the OIDC redirect_uri must be matched using the rules given in Section 9.2 of OpenID 2.0 instead of the OpenId 2.0 return_to URI, correct? best regards, Torsten.
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
