LiveJournal consumer seems to fail with encoded urls
Adam Langley
alangley at gmail.com
Thu Jul 7 15:21:48 PDT 2005
On 7/7/05, Brad Fitzpatrick <brad at danga.com> wrote:
> Ick --- be sure you sign more than just issued! You'll want to sign
> "return_to" and other things. See what Net::OpenID::Server does.
>
> I was able to login to my local LJ install by slighly altering that URL,
> since the signature still matched (with your ruby server's
> check_authentication)
Ah, thank you. That's a very good point. Looking at the spec the
suggested list is:
"mode,issued,valid_to,identity,return_to"
But can a stateless server sign 'mode'? Since a signature from both
checkid_immediate and checkid_setup can be passed to
check_authentication, yet the openid.mode for check_authentication
isn't preserved.
Cheers
AGL
--
Adam Langley agl at imperialviolet.org
http://www.imperialviolet.org (+44) (0)7906 332512
PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60
More information about the yadis
mailing list