[OpenID] Checking signature on an unsolicited positive assertion
Josh Hoyt
josh at janrain.com
Mon Jul 6 17:57:08 UTC 2009
On Wed, Jul 1, 2009 at 4:20 PM, Luke Shepard<lshepard at facebook.com> wrote:
> I’d like to accept an unsolicited positive OpenID assertion from a provider.
> So, instead of the RP issuing a request to the provider and then getting a
> response, the provider would just form the correct URL and send the user to
> it. The RP can then verify the signature and continue as though it had made
> the original request.
>
> For performance reasons, it would be nice to use a shared secret, if one
> exists. That way the RP wouldn’t have to make an extra HTTP request to the
> OP every time. However, section 11.4.2.1 of the spec says that doing so is
> forbidden as it opens up replay attacks.
If I understand what you're asking, that section does not disallow
your use case. If you are using a preestablished shared secret, that
section does not apply at all because your use case will never make a
check_authentication call.
Josh
More information about the general
mailing list