[PROPOSAL] request nonce and name
Josh Hoyt
josh at janrain.com
Fri Oct 13 09:48:31 UTC 2006
On 10/13/06, Martin Atkins <mart at degeneration.co.uk> wrote:
> > True, even one single pass through parameter should do.
>
> This causes the minor inconvenience that the RP will probably now have
> to implement its own parsing, rather than using the framework's
> pre-supplied functions for dealing with urlencoded query strings.
>
> Not a major deal, but I'd guess that this is where the idea to use
> return_to args came from in the first place.
return_to arguments can only be trusted if they are taken from the
signed return_to parameter, which means parsing the signed return_to
parameter anyway. So it's at least no worse.
It's better in that the parameters do not now appear twice in the
response (once double-encoded)
Example of a response with parameter in the return_to:
http://a.url/?drink=0xC0FFEE%21&openid.return_to=http%3A//a.url/%3Fdrink%3D0xC0FFEE%2521&...
Example of a response with hypothetical openid.appdata field:
http://a.url/?openid.appdata=drink%3D0xC0FFEE%21&openid.return_to=http%3A//a.url/&...
Josh
More information about the specs
mailing list