[OpenID] Question regarding the OpenID Information Cards 1.0

Johnny Bufu johnny at sxip.com
Tue Sep 4 01:05:03 PDT 2007


On 3-Sep-07, at 7:45 AM, Pedro Felix wrote:
> 1) The User accesses an RP page requiring authentication and  
> containing an
> infocard OBJECT or XHTML element. This element requires a token  
> with OpenID
> specific type and inner claims
>
> 2) The User-agent delegates this request to the User's Identity  
> Selector
> (IS). The IS shows to the User the list of cards compatible with the
> requesting element. Then it uses the metadata contained in the  
> selected card
> to perform a WS-Trust request: sends a RST message and receives a RSTR
> response containing an OpenIDToken. This token contains a set of  
> name value
> pairs, corresponding to the content of the id_res response message.
>
> 3) The User-agent sends this token to the RP
>
> 4) The RP uses the content of the token as an id_res response and  
> executes
> the remaining of the OpenID 2.0 protocol, namely by sending a
> check_authentication directly to the OP

Yes, the above is a very accurate description.

> My question is: how does the RP know that the OP has "authentication
> authority" over the asserted User URL. In the original protocol,  
> the OP was
> pointed by an element contained in the HTML document referenced by the
> identity URL, that is, the owner of the URL delegated the  
> authentication to
> the OP by defining the address of the OP. However, in the "OpenID
> Information Cards" this protocol step is absent.

It's not absent - it's part of the verification process that the RP  
must perform on the OpenID token, as described in 11.  Verifying  
Assertions:

11.1.  Verifying the Return URL
11.2.  Verifying Discovered Information
11.3.  Checking the Nonce
11.4.  Verifying Signatures

> What forbids me of creating an OP that asserts any identity URL  
> that I want?

11.2.  Verifying Discovered Information requires that:

"[...] the Relying Party MUST perform discovery on the Claimed  
Identifier in the response to make sure that the OP is authorized to  
make assertions about the Claimed Identifier."


However, I agree the reason given in the first part of the phrase can  
be a bit misleading: besides the case of a request with  
identifier_select, discovery also has to be performed for unsolicited  
responses -- I'll clarify that.


Thanks,
Johnny



More information about the general mailing list