[OpenID] Question regarding the OpenID Information Cards 1.0
Johnny Bufu
johnny at sxip.com
Tue Sep 4 01:05:03 PDT 2007
On 3-Sep-07, at 7:45 AM, Pedro Felix wrote:
> 1) The User accesses an RP page requiring authentication and
> containing an
> infocard OBJECT or XHTML element. This element requires a token
> with OpenID
> specific type and inner claims
>
> 2) The User-agent delegates this request to the User's Identity
> Selector
> (IS). The IS shows to the User the list of cards compatible with the
> requesting element. Then it uses the metadata contained in the
> selected card
> to perform a WS-Trust request: sends a RST message and receives a RSTR
> response containing an OpenIDToken. This token contains a set of
> name value
> pairs, corresponding to the content of the id_res response message.
>
> 3) The User-agent sends this token to the RP
>
> 4) The RP uses the content of the token as an id_res response and
> executes
> the remaining of the OpenID 2.0 protocol, namely by sending a
> check_authentication directly to the OP
Yes, the above is a very accurate description.
> My question is: how does the RP know that the OP has "authentication
> authority" over the asserted User URL. In the original protocol,
> the OP was
> pointed by an element contained in the HTML document referenced by the
> identity URL, that is, the owner of the URL delegated the
> authentication to
> the OP by defining the address of the OP. However, in the "OpenID
> Information Cards" this protocol step is absent.
It's not absent - it's part of the verification process that the RP
must perform on the OpenID token, as described in 11. Verifying
Assertions:
11.1. Verifying the Return URL
11.2. Verifying Discovered Information
11.3. Checking the Nonce
11.4. Verifying Signatures
> What forbids me of creating an OP that asserts any identity URL
> that I want?
11.2. Verifying Discovered Information requires that:
"[...] the Relying Party MUST perform discovery on the Claimed
Identifier in the response to make sure that the OP is authorized to
make assertions about the Claimed Identifier."
However, I agree the reason given in the first part of the phrase can
be a bit misleading: besides the case of a request with
identifier_select, discovery also has to be performed for unsolicited
responses -- I'll clarify that.
Thanks,
Johnny
More information about the general
mailing list