Opened 16 years ago
Closed 16 years ago
#9 closed defect (fixed)
Verifying the Return URL error
| Reported by: | avodonosov | Owned by: | mpasternacki |
|---|---|---|---|
| Priority: | major | Milestone: | HTTP client portability |
| Component: | code | Version: | 0.5 nonportable |
| Keywords: | Cc: |
Description
OpenID authentication 2.0, 11.1. "Verifying the Return URL".
RP must verify that URI of "openid.return_to" parameter in the assertion matches the URI of the current request.
But we verify this parameter against the "openid.return_to" passed to OP during authentication request.
Note. puri:uri= compares URI queries literally, but we must ensure that 'Any query parameters that are present in the "openid.return_to" URL MUST also be present with the same values in the URL of the HTTP request the RP received.' (because OP adds another parameters to the URI to form the assertion).
Change History (3)
comment:1 Changed 16 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 Changed 16 years ago by
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
comment:3 Changed 16 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Actually fixed this time.
HANDLE-INDIRECT-RESPONSE accepts one more parameter, REQUEST-URI, which is used for return_to verification.
Fixed only partially: parameters are verified as required in the spec.
But wrong uri is used. Instead of comparing return-to in the message with the requested return-to, we must compare return-to in the message with the *uri of the current HTTP request*.
Implementation hint: I would prefer it as a parameter to handle-indirect-response.