[OpenID] Graphical UIs

Andrew Arnott andrewarnott at gmail.com
Fri May 15 13:55:23 UTC 2009 

Thanks for trying to explain it Nate.  Actually what I was wondering is why
OAuth must be part of the request at all.  There's been talk on this thread
of bringing OAuth into it so that a signed message from the RP can be sent
to the OP.  First of all, using OAuth just for its signing seems like a
misuse.  The OpenID+OAuth extension that you described doesn't sign the
request at all.  And finally, it escapes me why the request needs to be
signed at all.  If an attacker were to form a request to look like it came
from a legitimate company, then the assertion would go to that legitimate
company (assuming RP discovery and return_to matching was successful) and
the attacker would have gained nothing.

So why must OAuth be part of login just so that logos from the RP can show
up at the OP?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Thu, May 14, 2009 at 10:46 PM, Nate Klingenstein <ndk at internet2.edu>wrote:

> On rereading this, you might have meant that the OAuth registration of the
> RP with the OP would be completely automated and promiscuous.  In that case,
> I'd totally agree with you.  But it's a "woah -- dude" moment for me because
> it's so counter to our deployment paradigm.
> Hope there was no confusion,
> Nate.
>
> On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:
>
> Why would OAuth be necessary?  If an RP registered with an OP and submitted
> their logos/text/etc, then any auth request coming in with the registered
> realm could display those pictures.  There is a danger that hacker.com might
> register and upload the Wells Fargo logo, but OAuth won't prevent that.
>
>
> Previously negotiated consumer keys, e.g. whitelisting.  It would prevent
> any transaction from occurring.  Unless I'm horribly misreading something,
> step 7 is registration, stating:
>
> The Combined Consumer and the Combined Provider agree on a consumer key and
> consumer secret (see [OAuth]<http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth>
> ).
>
>
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090515/67711c24/attachment.htm>

More information about the general mailing list