I have an Open ID based authentication system on my site.
Occasionally users will have an account registered under
[email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in.
When the process is done I get a payload from somewhere claiming that
openid.op_endpoint=https://www.google.com/accounts/o8/id.
My question:
Can I trust
openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious
openid provider?
For illustration, lets say someone types in http://evil.org as their
openid provider, can I somehow end up getting a request back that claims
openid.op_endpoint is google? Do I need to store extra information against the nonce to validate?
The spec is kind of tricky to understand