Problem with check_authentication
Kevin Turner
kevin at janrain.com
Fri Apr 13 18:02:23 UTC 2007
On Fri, 2007-04-13 at 16:53 +0100, Kevin Richards wrote:
> In the spec it shows an example of the 'signed' fields returned from a
> check_id_* request as "mode,identity,return_to". However if you try
> and do a
> check_authentication it will always fail because the mode will always
> be check_authentication not.
Yes, the OP needs to compensate for this by treating mode as "id_res"
when it builds the signature, if mode is in the signed list.
I thought that had made it in to the 2.0 draft spec, but I don't see it.
It just says that when building the request, the RP should send '''Exact
copies of all fields from the authentication response, except for
"openid.mode".''' It doesn't explicitly say how the OP is expected to
verify the signature. (Although, I guess with check_authentication, the
OP is verifying its _own_ signature, so it can do it however it
pleases.)
More information about the specs
mailing list