[cl-openid-devel] What happens after verification?
Anton Vodonosov
avodonosov at yandex.ru
Sun Jul 20 17:50:27 UTC 2008
on Sunday, July 20, 2008, 8:28:33 PM Maciek wrote:
> On Sun, 2008-07-20 at 19:44 +0300, Anton Vodonosov wrote:
>> > Update (I forgot to add this): I used URI postfix instead of GET
>> > parameters because OpenID spec is not clear on how the OPs should treat
>> > existing GET parameters in incoming "openid.return_to" fields. The GET
>> > parameters might get lost or mangled, and the postfix is part of URI
>> > path, so it will stay untouched.
>>
>> IMHO the spec allows it, in the 9.1. Request Parameters:
>>
>> "Note: The return_to URL MAY be used as a mechanism for
>> the Relying Party to attach context about the authentication
>> request to the authentication response. This document does not
>> define a mechanism by which the RP can ensure that query parameters
>> are not modified by outside parties; such a mechanism can be defined
>> by the RP itself."
> Yes, but it also implies that this method may be fragile. URI postfix
> seems to be more robust.
They mean that the spec does not define a protection from intentional
cracking - changing the values to imitate different "context about
the authentication request". I.e. we should not attach really sensitive
information to the context until we defined a way to verify the
context. The same applies to URI postfix.
The setion 11.1 also explicitly mentions query parameters in the
return_to URI.
-Anton
More information about the cl-openid-devel
mailing list