LiveJournal consumer seems to fail with encoded urls
Martin Atkins
mart at degeneration.co.uk
Thu Jul 7 15:59:14 PDT 2005
Brad Fitzpatrick wrote:
>
> Ick --- be sure you sign more than just issued! You'll want to sign
> "return_to" and other things. See what Net::OpenID::Server does.
>
> I was able to login to my local LJ install by slighly altering that URL,
> since the signature still matched (with your ruby server's
> check_authentication)
>
Two things:
* The spec should probably describe a few things which MUST be included.
* The consumer should then reject logins that don't feature them, under
the assumption that they come from a server which can be easily spoofed
as you described.
Relying on servers to do the right thing seems a little silly. We don't
need to require *that* many fields, but I think return_to should
definitely always be included. There are probably a couple others, too.
More information about the yadis
mailing list