<br><tt><font size=2>> Re: section 11. Verifying Assertions</font></tt>
<br><tt><font size=2>> <br>
> See section 11.4.2. Verifying Directly with the OpenID Provider.<br>
> <br>
> or encode your state in a signed cookie or the return_to URL or somesuch.<br>
</font></tt>
<br>
<br><tt><font size=2>Maybe I can explain what I am doing in more detail
with actual snippets of output to see if this makes sense.</font></tt>
<br>
<br><tt><font size=2>1) The user is is authenticated with the OpenID Provider
(in this case it is myopenid.com)</font></tt>
<br>
<br><tt><font size=2>2) The user is then redirected back to the Relying
Party (my application code)</font></tt>
<br>
<br><a href="http://localhost:8081/?openid.assoc_handle=%7BHMAC-SHA1%7D%7B488f2dba%7D%7BASdALw%3D%3D%7D&openid.claimed_id=http%3A%2F%2Ftodkap.myopenid.com&openid.identity=http%3A%2F%2Ftodkap.myopenid.com&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=http%3A%2F%2Fwww.myopenid.com%2Fserver&openid.response_nonce=2008-07-29T14%3A48%3A27Zo43JKa&openid.return_to=http%3A%2F%2Flocalhost%3A8081%2F&openid.sig=qoXc7LS6g8VZPGLNXOnfHwmvPII%3D&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned"><tt><font size=2>http://localhost:8081/?openid.assoc_handle=%7BHMAC-SHA1%7D%7B488f2dba%7D%7BASdALw%3D%3D%7D&openid.claimed_id=http%3A%2F%2Ftodkap.myopenid.com&openid.identity=http%3A%2F%2Ftodkap.myopenid.com&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=http%3A%2F%2Fwww.myopenid.com%2Fserver&!
amp;openid.response_nonce=2008-07-29T14%3A48%3A27Zo43JKa&openid.return_to=http%3A%2F%2Flocalhost%3A8081%2F&openid.sig=qoXc7LS6g8VZPGLNXOnfHwmvPII%3D&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned</font></tt></a>
<br>
<br><tt><font size=2>3) I then want to send a check authenticate request
using the information contained in the authentication response (openid.mode=id_res).
The content of that request message looks like this with the mode changed
to "check_authentication".</font></tt>
<br>
<br><font size=2 face="Courier New">URL: </font><a href=http://www.myopenid.com/server><font size=2 face="Courier New">http://www.myopenid.com/server</font></a><font size=2 face="Courier New">
</font>
<br>
<br><font size=2 face="Courier New">POST BODY</font>
<br><font size=2 face="Courier New">openid.return_to=http%3A%2F%2Flocalhost%3A8081%2F&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned&openid.ns.pape=&openid.pape.auth_age=&openid.identity=http%3A%2F%2Ftodkap.myopenid.com&openid.claimed_id=http%3A%2F%2Ftodkap.myopenid.com&openid.sig=qoXc7LS6g8VZPGLNXOnfHwmvPII%3D&openid.pape.auth_policies=&openid.op_endpoint=http%3A%2F%2Fwww.myopenid.com%2Fserver&openid.mode=check_authentication&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.pape.nist_auth_level=&openid.response_nonce=2008-07-29T14%3A48%3A27Zo43JKa&openid.assoc_handle=%7BHMAC-SHA1%7D%7B488f2dba%7D%7BASdALw%3D%3D%7D</font>
<br>
<br><tt><font size=2>4) The response I receive is this pair of name/values.</font></tt>
<br><font size=2 face="Courier New">{ns=http://specs.openid.net/auth/2.0,
is_valid=false}</font>
<br>
<br>
<br><tt><font size=2>Things that I can see that could possibly be an issue
is the reusing of the nonce from the authentication response and the fact
that openid.signed contains the signed value of mode ( maps to openid.mode)
which is different of course since it is no longer id_res and is not check_authentication.
</font></tt>
<br>
<br><tt><font size=2>Has anyone else out there tried this sort of thing
or is the only avenue an encrypted token which I have been hesitant to
leverage since this is not an application specific implementation I am
writing.</font></tt>
<br>
<br><tt><font size=2>Thank you</font></tt>