OpenID Authentication 2.0 spec clarification - must OP support check_authentication direct verification?
Yitzchak Scott-Thoennes
sthoenna at gmail.com
Fri Aug 27 05:11:25 UTC 2010
In the OpenID Authentication 2.0 spec, the Relying Party is obligated
to use direct verification to check the signature when it does not have
the association stored.
But is an OP required to support check_authentication?
There are certain providers that appear to not support it, always
returning a failure.
There are other providers that include mode as a signed attribute,
and so reject the check_authentication as having an invalid signature
(since the mode has changed).
Can someone familiar with this comment, please?
More information about the specs
mailing list