[OpenID] OpenID Information Card : receivingUrl , returnToUrl validation

Prabath Siriwardena siriwardena.prabath at gmail.com
Fri Jan 11 08:59:14 UTC 2008


Hi;

Following is an issue that I ran into while using OpenID Information
cards with openid4java implementation.

Say, we have two pages,

1. openid-inforcard-submit.html
2. openidinfocardloggedin.jsp

In [1] we have; the follwong ;
 <form name="frm" id="frm" method="post" action="openidinfocardloggedin.jsp">
             <input type="hidden" name="InfoCardSignin" value="Log in" />
             <OBJECT type="application/x-informationCard" name="xmlToken">
                    <PARAM Name="tokenType"
Value="http://specs.openid.net/auth/2.0">
                    <PARAM Name="requiredClaims"
Value="http://schema.openid.net/2007/05/claims/identifier">
              </OBJECT>
  </form>

With this, on sucessful login, I'll be redirected to the
openidinfocardloggedin.jsp.

During verification, at the RP end; we have the following attribute
with the OpenIDToken returned from the OP:

openid.return_to:https://localhost/rp/openid-infocard-submit.html

Basically, this is the value set by the OP, which is the value of
"AppliesTo"  from RST.

Now, at the RP end it compares the receivingUrl with the returnToUrl [
where returnToUrl  = https://localhost/rp/openid-infocard-submit.html
].

But, in this case, receivingUrl  =
https://localhost/rp/openidinfocardloggedin.jsp  [receivingUrl  =
request.getRequestURL() ].

So, since the receivingUrl  differs from the returnToUrl , the validation fails.


Following is the validation from the openid4java code:

  if ( ! receiving.getProtocol().equals(returnTo.getProtocol()) ||
                ! receiving.getAuthority().equals(returnTo.getAuthority()) ||
                ! receivingPath.toString().equals(returnToPath.toString()) )
        {
            if (DEBUG)
                _log.debug("Return URL schema, authority or " +
                           "path verification failed.");
            return false;
        }


Appreciate your thoughts, suggestions.

Thanks & regards.

- Prabath



More information about the general mailing list