
<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    Hi Nat,<br>

    <br>

    <div class="moz-cite-prefix">Am 24.09.2014 15:49, schrieb Nat

      Sakimura:<br>

      <br>

    </div>

    <blockquote

cite="mid:CABzCy2DejFaxAzD4eE6M6g1VNjNWGPNFVVDq3h3TXbmATS3VZA@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div class="gmail_extra">

          <div class="gmail_quote">

            <div> </div>

            ...

            <div> </div>

            <blockquote class="gmail_quote" style="margin:0 0 0

              .8ex;border-left:1px #ccc solid;padding-left:1ex">

              <div text="#000000" bgcolor="#FFFFFF"> <br>

                "There could be an attack by a malicious RP to obtain

                the user’s PPID for another RP to perform identity

                correlation. To mitigate the risk, the OP MUST verify

                that the realm and RP’s Redirect URI matches as per

                Section 9.2 of OpenID 2.0 [OpenID.2.0]."<br>

                <br>

                I'm not sure what this means. Does it mean the RP's XRDS

                document must contain the RP’s Redirect URI (a

                OAuth/OIDC redirect_uri)? If so, is the RP supposed to

                use a certain service Type or <a moz-do-not-send="true"

                  href="http://specs.openid.net/auth/2.0/return_to"

                  target="_blank">"http://specs.openid.net/auth/2.0/return_to"</a>?<br>

                <br>

                Example:<br>

                <Service xmlns="xri://$xrd*($v*2.0)"><br>

                  <Type><a moz-do-not-send="true"

                  href="http://specs.openid.net/auth/2.0/return_to"

                  target="_blank">http://specs.openid.net/auth/2.0/return_to</a></Type><br>

                  <URI><a moz-do-not-send="true"

                  href="http://consumer.example.com/return"

                  target="_blank">http://consumer.example.com/return</a></URI><br>

                </Service><br>

              </div>

            </blockquote>

            <div><br>

            </div>

            <div>It just means that openid2_realm MUST be (roughly) a

              substring of OpenID Connect/OAuth's Redirect URI. No XRDS

              is involved. Exact rule of the matching is given in

              Section 9.2 of OpenID 2.0. <br>

            </div>

          </div>

        </div>

      </div>

    </blockquote>

    <br>

    It's probably nitpicking, but the OIDC redirect_uri must be matched

    using the rules given in Section 9.2 of OpenID 2.0 instead of the

    OpenId 2.0 return_to URI, correct?<br>

    <br>

    best regards,<br>

    Torsten.<br>

    <br>

    <br>

  </body>

</html>