<br><br><div class="gmail_quote">On Wed, Mar 11, 2009 at 11:17 AM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
In OpenID 2.0 section 11.1, we see the following requirement regarding verifying the openid.return_to parameter:<blockquote style="border: medium none ; margin: 0pt 0pt 0pt 40px; padding: 0px;"><span style="font-family: verdana;">Any query parameters that are present in the "openid.return_to" URL MUST also be present with the same values in the URL of the HTTP request the RP received.</span><br>
</blockquote><div><br></div><div>But consider this incoming RP message: (I didn't bother properly URL encoding it since that would just make it harder to read)</div><div><a href="http://rp/authenticate?a=b&a=c&openid.return_to=http%3a%2f%2frp%2fauthenticate%3fa%3db&openid.*" target="_blank">http://rp/authenticate?a=b&a=c&openid.return_to=http%3a%2f%2frp%2fauthenticate%3fa%3db&openid.*</a> (other openid parameters)</div>
<div><br></div><div>In the above GET request, the openid.return_to value has a decoded value of <a href="http://rp/authenticate?a=b" target="_blank">http://rp/authenticate?a=b</a>. You can see that the incoming request matches the requirements as they all keys exist with the same values. However, some keys (specifically 'a' in this example) show up multiple times, and have different values. Depending on the library, this could have adverse security or undesirable altering affects.</div>
<div><br></div><div>I wonder if we should enhance the 2.1 spec to say that the same keys must not appear more than they do in the return_to URL.</div></blockquote><div><br>What if they appear a fewer number of times?<br>
<br>The correct language is that the set of parameter assignments "a=b", where 'a' is the key and 'b' is the value, that appear in the HTTP request the RP received, and that are not OpenID parameters, should be identical to the set of assignments present in the query part of the return_to URL in the authentication response.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div></div><div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>--Breno<br><br>+1 (650) 214-1007 desk<br>+1 (408) 212-0135 (Grand Central)<br>MTV-41-3 : 383-A <br>PST (GMT-8) / PDT(GMT-7)<br>