[OpenID] OpenID Information Card : receivingUrl , returnToUrl validation

[Johnny Bufu]

On 11-Jan-08, at 12:59 AM, Prabath Siriwardena wrote:
> During verification, at the RP end; we have the following attribute
> with the OpenIDToken returned from the OP:
>
> openid.return_to:https://localhost/rp/openid-infocard-submit.html
>
> Basically, this is the value set by the OP, which is the value of
> "AppliesTo"  from RST.

Considering that:
- AppliesTo is the only RP information that is passed by the selector  
to the OP
- return_to is a required field in OpenID assertions

The former must be used as a means for conveying the return_to value  
to the OP.


The approach used in OpenID Information Cards is to have the xmlToken  
POSTed at the same URL of the login page (that contains the OBJECT  
tag). The controller of that URL can differentiate between them based  
on the HTTP method:
- GET: provide the login page with the OBJECT tag
- POST: process the xmlToken


Another possible solution can be to encode request parameters in the  
login page URL (possibly after a redirect on the RP site), and have  
the OP extract them accordingly from it


> Following is the validation from the openid4java code:
>
>   if ( ! receiving.getProtocol().equals(returnTo.getProtocol()) ||
>                 ! receiving.getAuthority().equals 
> (returnTo.getAuthority()) ||
>                 ! receivingPath.toString().equals 
> (returnToPath.toString()) )
>         {
>             if (DEBUG)
>                 _log.debug("Return URL schema, authority or " +
>                            "path verification failed.");
>             return false;
>         }

This maps to the "11.1 Verifying the Return URL" section of the  
OpenID spec:
http://openid.net/specs/openid-authentication-2_0.html#verify_return_to


Johnny