Review of Proposed Implementer’s Draft of OpenID 2.0 to OpenID Connect Migration Specification
Torsten Lodderstedt
torsten at lodderstedt.net
Sat Oct 4 15:11:32 UTC 2014
Hi Nat,
Am 24.09.2014 15:49, schrieb Nat Sakimura:
> ...
>
>
> "There could be an attack by a malicious RP to obtain the user’s
> PPID for another RP to perform identity correlation. To mitigate
> the risk, the OP MUST verify that the realm and RP’s Redirect URI
> matches as per Section 9.2 of OpenID 2.0 [OpenID.2.0]."
>
> I'm not sure what this means. Does it mean the RP's XRDS document
> must contain the RP’s Redirect URI (a OAuth/OIDC redirect_uri)? If
> so, is the RP supposed to use a certain service Type or
> "http://specs.openid.net/auth/2.0/return_to"
> <http://specs.openid.net/auth/2.0/return_to>?
>
> Example:
> <Service xmlns="xri://$xrd*($v*2.0)">
> <Type>http://specs.openid.net/auth/2.0/return_to</Type>
> <URI>http://consumer.example.com/return</URI>
> </Service>
>
>
> It just means that openid2_realm MUST be (roughly) a substring of
> OpenID Connect/OAuth's Redirect URI. No XRDS is involved. Exact rule
> of the matching is given in Section 9.2 of OpenID 2.0.
It's probably nitpicking, but the OIDC redirect_uri must be matched
using the rules given in Section 9.2 of OpenID 2.0 instead of the OpenId
2.0 return_to URI, correct?
best regards,
Torsten.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20141004/db212a99/attachment.html>
More information about the specs
mailing list