Ticket #9 (closed defect: fixed)

Opened 4 months ago

Last modified 3 months ago

Verifying the Return URL error

Reported by: avodonosov Owned by: mpasternacki
Priority: major Milestone: HTTP client portability
Component: code Version: 0.5 nonportable
Keywords: Cc:

Description

OpenID authentication 2.0, 11.1. "Verifying the Return URL".

RP must verify that URI of "openid.return_to" parameter in the assertion matches the URI of the current request.

But we verify this parameter against the "openid.return_to" passed to OP during authentication request.

Note. puri:uri= compares URI queries literally, but we must ensure that 'Any query parameters that are present in the "openid.return_to" URL MUST also be present with the same values in the URL of the HTTP request the RP received.' (because OP adds another parameters to the URI to form the assertion).

Change History

Changed 3 months ago by mpasternacki

  • status changed from new to closed
  • resolution set to fixed

Changed 3 months ago by avodonosov

  • status changed from closed to reopened
  • resolution fixed deleted

Fixed only partially: parameters are verified as required in the spec.

But wrong uri is used. Instead of comparing return-to in the message with the requested return-to, we must compare return-to in the message with the *uri of the current HTTP request*.

Implementation hint: I would prefer it as a parameter to handle-indirect-response.

Changed 3 months ago by mpasternacki

  • status changed from reopened to closed
  • resolution set to fixed

Actually fixed this time.

HANDLE-INDIRECT-RESPONSE accepts one more parameter, REQUEST-URI, which is used for return_to verification.

Note: See TracTickets for help on using tickets.