OpenID Authentication 2.0 spec clarification - must OP support check_authentication direct verification?
Andrew Arnott
andrewarnott at gmail.com
Fri Aug 27 16:47:25 UTC 2010
Direct verification is useful for more than stateless mode. Sometimes the
OP's association list may get cleared, or the RP sends an almost expired
association handle to the OP and the OP needs to send a private association
handle back to the RP in order for the user's flow to go on uninterrupted.
These are legitimate cases that can only be handled smoothly if the OP
supports direct verification.
Another use of direct verification is if the RP is an OpenID 1.1 compliant
RP and doesn't have replay protection built in. In this case, for example,
DotNetOpenAuth OPs automatically force use of direct verification by using a
private association in order to provide replay protection.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Fri, Aug 27, 2010 at 9:25 AM, Hans Granqvist <hans at granqvist.com> wrote:
> Since stateless mode authentication is weak, it seems incorrect to say a
> provider must or should implement it.
>
>
> On Fri, Aug 27, 2010 at 12:20 AM, Yitzchak Scott-Thoennes <
> sthoenna at gmail.com> wrote:
>
>> (David, sorry for sending this to you by accident instead of the list.)
>>
>> Should, not must?
>>
>> If must (and maybe even if should), then it seems it either should be
>> illegal to have mode as a signed attribute or check_authentication
>> should not be subject to signature checking (since the sender must
>> change the mode attribute and isn't able to recalculate the signature,
>> and in any case, the whole purpose is that the OP validate the
>> signature received by the Relying Party.)
>>
>> On Fri, Aug 27, 2010 at 12:10 AM, David Recordon <recordond at gmail.com>
>> wrote:
>> > ugh, yes every provider should support check_authentication.
>> >
>> > On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes
>> > <sthoenna at gmail.com> wrote:
>> >>
>> >> In the OpenID Authentication 2.0 spec, the Relying Party is obligated
>> >> to use direct verification to check the signature when it does not have
>> >> the association stored.
>> >>
>> >> But is an OP required to support check_authentication?
>> >>
>> >> There are certain providers that appear to not support it, always
>> >> returning a failure.
>> >>
>> >> There are other providers that include mode as a signed attribute,
>> >> and so reject the check_authentication as having an invalid signature
>> >> (since the mode has changed).
>> >>
>> >> Can someone familiar with this comment, please?
>> >> _______________________________________________
>> >> specs mailing list
>> >> specs at lists.openid.net
>> >> http://lists.openid.net/mailman/listinfo/openid-specs
>> >
>> >
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100827/1b698a58/attachment.html>
More information about the specs
mailing list