[OpenID] OpenID Information Card : receivingUrl , returnToUrl validation
Prabath Siriwardena
siriwardena.prabath at gmail.com
Fri Jan 11 08:59:14 UTC 2008
Hi;
Following is an issue that I ran into while using OpenID Information
cards with openid4java implementation.
Say, we have two pages,
1. openid-inforcard-submit.html
2. openidinfocardloggedin.jsp
In [1] we have; the follwong ;
<form name="frm" id="frm" method="post" action="openidinfocardloggedin.jsp">
<input type="hidden" name="InfoCardSignin" value="Log in" />
<OBJECT type="application/x-informationCard" name="xmlToken">
<PARAM Name="tokenType"
Value="http://specs.openid.net/auth/2.0">
<PARAM Name="requiredClaims"
Value="http://schema.openid.net/2007/05/claims/identifier">
</OBJECT>
</form>
With this, on sucessful login, I'll be redirected to the
openidinfocardloggedin.jsp.
During verification, at the RP end; we have the following attribute
with the OpenIDToken returned from the OP:
openid.return_to:https://localhost/rp/openid-infocard-submit.html
Basically, this is the value set by the OP, which is the value of
"AppliesTo" from RST.
Now, at the RP end it compares the receivingUrl with the returnToUrl [
where returnToUrl = https://localhost/rp/openid-infocard-submit.html
].
But, in this case, receivingUrl =
https://localhost/rp/openidinfocardloggedin.jsp [receivingUrl =
request.getRequestURL() ].
So, since the receivingUrl differs from the returnToUrl , the validation fails.
Following is the validation from the openid4java code:
if ( ! receiving.getProtocol().equals(returnTo.getProtocol()) ||
! receiving.getAuthority().equals(returnTo.getAuthority()) ||
! receivingPath.toString().equals(returnToPath.toString()) )
{
if (DEBUG)
_log.debug("Return URL schema, authority or " +
"path verification failed.");
return false;
}
Appreciate your thoughts, suggestions.
Thanks & regards.
- Prabath
More information about the general
mailing list