[Tracker-discuss] [issue462] Logging in with OpenID delegate doesn't work
Martin v. Löwis
metatracker at psf.upfronthosting.co.za
Sat May 19 13:01:14 CEST 2012
Martin v. Löwis <martin at v.loewis.de> added the comment:
> But does this mean that other consumers are not so strict and allow cheating?
I'm not sure how serious this is, but the OpenID spec (http://openid.net/specs/openid-authentication-2_0.html) seems to say in section 11 that this MUST be verified by the relying party ("Discovered information matches the information in the assertion"). The table in 11.2 then says that the discovered "OP Endpoint URL" must match the openid.op_endpoint field - which in your case it didn't, meaning that a protocol-conforming relying party should reject the assertion.
_______________________________________________________
PSF Meta Tracker <metatracker at psf.upfronthosting.co.za>
<http://psf.upfronthosting.co.za/roundup/meta/issue462>
_______________________________________________________
More information about the Tracker-discuss
mailing list