How do I validate that my the openid.op_endpoint when a request is completed.
Posted
by Sam Saffron
on Stack Overflow
See other posts from Stack Overflow
or by Sam Saffron
Published on 2010-03-10T01:57:47Z
Indexed on
2010/03/12
8:17 UTC
Read the original article
Hit count: 191
I have an Open ID based authentication system on my site.
Occasionally users will have an account registered under [email protected]
and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id
, in this case I would like to automatically associate the account and log them in.
When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id
.
My question:
- Can I trust
openid.op_endpoint
to be correct? Can this be spoofed somehow by a malicious openid provider?
For illustration, lets say someone types in http://evil.org
as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint
is google? Do I need to store extra information against the nonce to validate?
The spec is kind of tricky to understand
© Stack Overflow or respective owner