How do I validate that my the openid.op_endpoint when a request is completed.

Posted by Sam Saffron on Stack Overflow See other posts from Stack Overflow or by Sam Saffron
Published on 2010-03-10T01:57:47Z Indexed on 2010/03/12 8:17 UTC
Read the original article Hit count: 191

Filed under:
|

I have an Open ID based authentication system on my site.

Occasionally users will have an account registered under [email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in.

When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id.

My question:

  • Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider?

For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate?

The spec is kind of tricky to understand

© Stack Overflow or respective owner

Related posts about openid

Related posts about security