Is OpenID this easy to hack or am I missing something?

Posted by David on Server Fault See other posts from Server Fault or by David
Published on 2010-03-25T14:27:39Z Indexed on 2010/03/25 14:33 UTC
Read the original article Hit count: 370

Filed under:

openid

For those Relying Parties (RP) that allow the user to specify the OpenID Provider (OP), it seems to me than anyone that knows are guesses your OpenID could

Enter their own OP address.
Have it validate them as owning your OpenID.
Access your account on the RP.

The RP "could" take measures to prevent this by only allowing the OpenID to validated by the original OP, but...

How do you know they do?
You could never change your OP without also changing your OpenID.

Related posts about openid

Django & google openid authentication (openid.ax) with socialauth

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello I am trying to use django-socialauth (http://github.com/uswaretech/Django-Socialauth) for authenticating users for my django project. This is firs time working with openid and i've had to figure out how exactly this open id works. I have more or less understood it, by now, but there are few… >>> More
Configuring Fed Authentication Methods in OIF / IdP

as seen on Oracle Blogs - Search for 'Oracle Blogs'
In this article, I will provide examples on how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, based on the concepts introduced in my previous entry. I will show examples for the three protocols supported by OIF: SAML 2.0 SSO SAML… >>> More
DotNetOpenAuth OpenID Provider "Sequence contains more than one element"

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, all, I'm having trouble implementing my OpenID provider with DNOA 3.4.3. Everything was going absolutely peachy until I needed AX support as well. I set AXFetchAsSregTransform in the web config, as recommended by Andrew at http://groups.google.com/group/dotnetopenid/browse_thread/thread/5629a24c0a7e8d99… >>> More
why OAuth request_token using openid4java is missing in the google's response?

as seen on Stack Overflow - Search for 'Stack Overflow'
I have succeed using openID and OAuth separately, but I can't make them work together. Am I doing something incorrect: String userSuppliedString = "https://www.google.com/accounts/o8/id"; ConsumerManager manager = new ConsumerManager(); String returnToUrl = "http://example.com:8080/isr-calendar-test-1… >>> More
Django & google openid authentication with socialauth

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello I am trying to use django-socialauth (http://github.com/uswaretech/Django-Socialauth) for authenticating users for my django project. This is firs time working with openid and i've had to figure out how exactly this open id works. I have more or less understood it, by now, but there are few… >>> More

Developer IT

Is OpenID this easy to hack or am I missing something? - Developer IT

Is OpenID this easy to hack or am I missing something?

openid

Related posts about openid

Django & google openid authentication (openid.ax) with socialauth

Configuring Fed Authentication Methods in OIF / IdP

DotNetOpenAuth OpenID Provider "Sequence contains more than one element"

why OAuth request_token using openid4java is missing in the google's response?

Django & google openid authentication with socialauth

Categories cloud