[dix] Re: Gathering requirements for in-browser OpenID support
Mike Glover
mpg4 at janrain.com
Fri Oct 20 20:12:57 UTC 2006
On Fri, 20 Oct 2006 09:36:30 +0100
"Ben Laurie" <benl at google.com> wrote:
> On 19/10/06, Pete Rowley <prowley at redhat.com> wrote:
> > Having the hooks that enable solutions to this outside the protocol is a
> > MUST in my view. So, go Chris :)
>
> Why not enable it inside the protocol? It isn't hard to ensure that
> anything an RP gets is unusable anywhere else. Indeed, surely this is
> a basic requirement for any secure SSO solution?
>
Could you explain that some more? Specifically, how would you prevent a rogue RP from faking a redirect to the user's IdP (by proxying the request instead)? I can't see a way that the protocol itself can guard against this.
-mike
More information about the general
mailing list