OpenID Authentication 2.0 spec clarification - must OP support check_authentication direct verification?
David Recordon
recordond at gmail.com
Fri Aug 27 07:10:52 UTC 2010
ugh, yes every provider should support check_authentication.
On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes <
sthoenna at gmail.com> wrote:
> In the OpenID Authentication 2.0 spec, the Relying Party is obligated
> to use direct verification to check the signature when it does not have
> the association stored.
>
> But is an OP required to support check_authentication?
>
> There are certain providers that appear to not support it, always
> returning a failure.
>
> There are other providers that include mode as a signed attribute,
> and so reject the check_authentication as having an invalid signature
> (since the mode has changed).
>
> Can someone familiar with this comment, please?
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100827/f6ced490/attachment.html>
More information about the specs
mailing list