There was a question on IRC a few nights ago that I couldn't answer and has since been bugging me. I was hoping somebody here would be able to clarify this for me...
In reply to an authentication request (either via checkid_immediate or checkid_setup), an OpenID provider includes the identifier that has been verified as the value for openid.identity. However, what if that identity doesn't match what was sent in the original authentication request? Obviously there needs to be some validation here, otherwise a provider could make claims about identities on other domains. However, what about the less dangerous requests, such as returning an different identity within the provider's authoritative domain? And if that's not allowed, then what is the purpose of including openid.identity at all, considering that the return_to URL in combination with a nonce (which is required for secure operation anyway) would be sufficient to ensure the provider's signature isn't reused maliciously for other identities? -- Trevor Johns http://tjohns.net _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
