[security] Validating openid.identity in authentication responses

[Trevor Johns]

There was a question on IRC a few nights ago that I couldn't answer  
and has since been bugging me. I was hoping somebody here would be  
able to clarify this for me...

In reply to an authentication request (either via checkid_immediate or  
checkid_setup), an OpenID provider includes the identifier that has  
been verified as the value for openid.identity. However, what if that  
identity doesn't match what was sent in the original authentication  
request?

Obviously there needs to be some validation here, otherwise a provider  
could make claims about identities on other domains. However, what  
about the less dangerous requests, such as returning an different  
identity within the provider's authoritative domain? And if that's not  
allowed, then what is the purpose of including openid.identity at all,  
considering that the return_to URL in combination with a nonce (which  
is required for secure operation anyway) would be sufficient to ensure  
the provider's signature isn't reused maliciously for other identities?

-- 
Trevor Johns
http://tjohns.net