section 11. Verifying Assertions

Todd Kaplinger todkap at us.ibm.com
Tue Jul 29 14:56:13 UTC 2008 

> Re: section 11. Verifying Assertions
> 
> See section 11.4.2.  Verifying Directly with the OpenID Provider.
> 
> or encode your state in a signed cookie or the return_to URL or 
somesuch.


Maybe I can explain what I am doing in more detail with actual snippets of 
output to see if this makes sense.

1) The user is is authenticated with the OpenID Provider (in this case it 
is myopenid.com)

2) The user is then redirected back to the Relying Party (my application 
code)

http://localhost:8081/?openid.assoc_handle=%7BHMAC-SHA1%7D%7B488f2dba%7D%7BASdALw%3D%3D%7D&openid.claimed_id=http%3A%2F%2Ftodkap.myopenid.com&openid.identity=http%3A%2F%2Ftodkap.myopenid.com&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=http%3A%2F%2Fwww.myopenid.com%2Fserver&openid.response_nonce=2008-07-29T14%3A48%3A27Zo43JKa&openid.return_to=http%3A%2F%2Flocalhost%3A8081%2F&openid.sig=qoXc7LS6g8VZPGLNXOnfHwmvPII%3D&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned

3) I then want to send a check authenticate request using the information 
contained in the authentication response (openid.mode=id_res). The content 
of that request message looks like this with the mode changed to 
"check_authentication".

URL: http://www.myopenid.com/server 

POST BODY
openid.return_to=http%3A%2F%2Flocalhost%3A8081%2F&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned&openid.ns.pape=&openid.pape.auth_age=&openid.identity=http%3A%2F%2Ftodkap.myopenid.com&openid.claimed_id=http%3A%2F%2Ftodkap.myopenid.com&openid.sig=qoXc7LS6g8VZPGLNXOnfHwmvPII%3D&openid.pape.auth_policies=&openid.op_endpoint=http%3A%2F%2Fwww.myopenid.com%2Fserver&openid.mode=check_authentication&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.pape.nist_auth_level=&openid.response_nonce=2008-07-29T14%3A48%3A27Zo43JKa&openid.assoc_handle=%7BHMAC-SHA1%7D%7B488f2dba%7D%7BASdALw%3D%3D%7D

4) The response I receive is this pair of name/values.
{ns=http://specs.openid.net/auth/2.0, is_valid=false}


Things that I can see that could possibly be an issue is the reusing of 
the nonce from the authentication response and the fact that openid.signed 
contains the signed value of mode ( maps to openid.mode) which is 
different of course since it is no longer id_res and is not 
check_authentication. 

Has anyone else out there tried this sort of thing or is the only avenue 
an encrypted token which I have been hesitant to leverage since this is 
not an application specific implementation I am writing.

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080729/10a98c24/attachment-0002.htm>

More information about the specs mailing list