[OpenID] Correlating Identifiers
Manger, James H
James.H.Manger at team.telstra.com
Thu Nov 6 22:39:15 UTC 2008
Peter Williams asked
> Dont OpenID state machine rules require an RP to reject a identity claim
> from the OP that fails to match the requested identity?
>
> Isnt the ONLY exception to that when the RP/user has invoked the
> directed-identity flow ?
No and No.
If the identity in the OP response does not match the identity in the request (which came from earlier discovery) the RP should perform discovery again. If the second discovery (this time on the identity in the OP response) matches then OpenID authentication has succeeded.
OpenID 2.0 §11.2 "Verifying Discovered Information" says:
[http://openid.net/specs/openid-authentication-2_0.html#verify_disco]
"If the Claimed Identifier is included in the assertion, it MUST have been
discovered (Discovery) by the Relying Party and the information in the
assertion MUST be present in the discovered information. The Claimed
Identifier MUST NOT be an OP Identifier."
"If the Claimed Identifier was not previously discovered by the Relying
Party (the "openid.identity" in the request was
"http://specs.openid.net/auth/2.0/identifier_select" or a different
Identifier, or if the OP is sending an unsolicited positive assertion),
the Relying Party MUST perform discovery on the Claimed Identifier in the
response to make sure that the OP is authorized to make assertions about
the Claimed Identifier."
The important phrase is "or a different Identifier" -- indicating that the RP must perform discovery after receiving a response, not just for directed identity, but also whenever the requested id does not match the response.
James Manger
More information about the general
mailing list