[security] Validating openid.identity in authentication responses

David Recordon drecordon at sixapart.com
Fri Nov 16 17:01:14 UTC 2007 

.On Nov 16, 2007, at 7:10 AM, Trevor Johns wrote:

> There was a question on IRC a few nights ago that I couldn't answer
> and has since been bugging me. I was hoping somebody here would be
> able to clarify this for me...
>
> In reply to an authentication request (either via checkid_immediate or
> checkid_setup), an OpenID provider includes the identifier that has
> been verified as the value for openid.identity. However, what if that
> identity doesn't match what was sent in the original authentication
> request?

This is actually desired functionality to allow for "directed  
identity".  The use case here is that an End User might type their OP  
Identifier such as "http://aol.com" to start the discovery process.   
Then while at the OP, they could potentially create a new OpenID  
Identifier on the fly or might only have one which is where this can  
also serve as a convenience feature.


> Obviously there needs to be some validation here, otherwise a provider
> could make claims about identities on other domains. However, what
> about the less dangerous requests, such as returning an different
> identity within the provider's authoritative domain?

Yes, if you take a look at Section 11 Verifying Assertions (http://openid.net/specs/openid-authentication-2_0-12.html#verification 
) you'll see that the Relying Party must verify that the verify that  
the OP is authoritative for the Claimed Identifier in the response.

Hope that helps!

--David

> And if that's not
> allowed, then what is the purpose of including openid.identity at all,
> considering that the return_to URL in combination with a nonce (which
> is required for secure operation anyway) would be sufficient to ensure
> the provider's signature isn't reused maliciously for other  
> identities?
>
> -- 
> Trevor Johns
> http://tjohns.net
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

More information about the security mailing list