LiveJournal consumer seems to fail with encoded urls

Martin Atkins mart at
Thu Jul 7 15:59:14 PDT 2005

Brad Fitzpatrick wrote:
> Ick --- be sure you sign more than just issued!  You'll want to sign
> "return_to" and other things.  See what Net::OpenID::Server does.
> I was able to login to my local LJ install by slighly altering that URL,
> since the signature still matched (with your ruby server's
> check_authentication)

Two things:

* The spec should probably describe a few things which MUST be included.
* The consumer should then reject logins that don't feature them, under
the assumption that they come from a server which can be easily spoofed
as you described.

Relying on servers to do the right thing seems a little silly. We don't
need to require *that* many fields, but I think return_to should
definitely always be included. There are probably a couple others, too.

More information about the yadis mailing list