LiveJournal consumer seems to fail with encoded urls

Adam Langley alangley at gmail.com
Thu Jul 7 15:21:48 PDT 2005


On 7/7/05, Brad Fitzpatrick <brad at danga.com> wrote:
> Ick --- be sure you sign more than just issued!  You'll want to sign
> "return_to" and other things.  See what Net::OpenID::Server does.
> 
> I was able to login to my local LJ install by slighly altering that URL,
> since the signature still matched (with your ruby server's
> check_authentication)

Ah, thank you. That's a very good point. Looking at the spec the
suggested list is:
"mode,issued,valid_to,identity,return_to"

But can a stateless server sign 'mode'? Since a signature from both
checkid_immediate and checkid_setup can be passed to
check_authentication, yet the openid.mode for check_authentication
isn't preserved.

Cheers


AGL

-- 
Adam Langley                                      agl at imperialviolet.org
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60


More information about the yadis mailing list