[OpenID] Yahoo hijacking?
Peter Watkins
peterw at tux.org
Fri Apr 18 23:48:12 UTC 2008
On Fri, Apr 18, 2008 at 04:38:46PM -0700, SitG Admin wrote:
> >if I go to Yahoo for an OpenID login, and then change my mind and
> >say "I do not want to login", they take me to
> ><http://www.yahoo.com>www.yahoo.com!!!
>
> Side question - if they used CSRF to have you request (via GET) the
> appropriate page from the Relying Party, would that be acceptable? Is
> it sufficient to have the user notify the RP that nothing further
> will be happening, or should the user visit the site normally to
> continue further interactions, and at least have the chance to
> receive further info directly from the site?
I think it'd be good if the spec allowed the RP to ask the IdP to
send users back to a specific URL if the user declined to authenticate.
I also think it'd be fine for IdP's to not send the user back to that
"Decline URL" -- the user should be able to use their Back Arrow to
return to the RP site.
Shade -- how could a URL be both "appropriate" and CSRF?
There are some CRSF-like concerns with OpenID, to be sure (e.g., an IdP
should *always* present some sort of confirmation interface to the user
to prevent an RP from "fishing" for OpenID identities[0]), but I don't
understand your concern here.
-Peter
[0] It'd be fine for an IdP to offer choices like "don't bother asking
for confirmations when I log in to ACME.example.com in the future".
More information about the general
mailing list