OpenID to LID Proxy
mart at degeneration.co.uk
Thu May 26 10:35:36 PDT 2005
I've created an OpenID to LID proxy which lets anyone with a LID server
running log into an OpenID site -- in theory, at least.
In order to use it, the user must list his OpenID identity server URL as:
...with a transformation of the LID URL concatenated on the end.
For example, the LID demo user would be:
or, for an SSL site:
The way I've been testing it is to put an HTML document at some dumb URL
referencing that URL and logging in as the demo user. The details are here:
Remember that since the demo user's details are well known, you're
essentially giving whatever URL you use to everyone.
Of course, you don't trust my proxy as it might lie about you or even
exploit LID's XSS holes to steal your current LID session. In practice
you would run it yourself on your own server:
AJAX logins don't work. I'm not sure what I'm doing wrong, so if someone
could let me know I'd appreciate it. I'm obviously not understanding the
mechanics of the AJAX logins.
However, the most important part of this message follows:
* WARNING! * WARNING! * WARNING! * WARNING! * WARNING! *
I think there's a glaring security hole in this thing right now, but I'm
having trouble getting my head around it to figure out if it's there or
not. I'd appreciate a second opinion.
If I control a LID server I can respond with any OpenID Identity I want.
If I return one that doesn't reference the OpenID proxy then key
verification will fail as you'd expect. However, if some other person
has an identity which references the same proxy with a *different* LID
URL then I can impersonate him because there is nothing specific to the
ID server URL in the signature, and the proxy always uses the same key.
Obviously the proxy should really be maintaining some kind of state
rather than just trusting what the LID server says, but maybe I'm
missing something which means that this isn't such a big deal after all?
I plan to shortly implement proper request tickets anyway, so this isn't
a major deal. However, if I'm right and this is a problem please don't
use this proxy on any URL you wouldn't want compromised!
More information about the yadis