How do I validate that my the openid.op_endpoint when a request is completed.
- by Sam Saffron
I have an Open ID based authentication system on my site.
Occasionally users will have an account registered under [email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in.
When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id.
My question:
Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider?
For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate?
The spec is kind of tricky to understand