Shared secret -- what for?

Yuhui yuhuibc at gmail.com
Wed Jul 13 23:35:31 PDT 2005


Hi,

I'm intrigued in OpenID and its potential use in applications beyond
blogging. I've managed to wrap my head around the specs, except for
one part: the need for the shared secret.

To test that I understood how OpenID worked, I created an HTML page
(on my test consumer) with this simple form:
<form name="form1" id="form1" method="post"
action="http://www.livejournal.com/openid/server.bml">
  <input name="openid.mode" type="text" id="openid.mode" value="associate" />
  <input type="submit" name="Submit" value="Submit" id="Submit" />
</form>

After submitting the form, I got this response:
assoc_handle:yadda
assoc_type:HMAC-SHA1
expires_in:some-seconds
expiry:some-date
issued:some-other-date
mac_key:shared-secret

Then I manually constructed this URL:
http://www.livejournal.com/openid/server.bml?openid.mode=checkid_setup&openid.identity=http://www.livejournal.com/users/myblogname/&openid.assoc_handle=yadda&openid.return_to=http://return.to.com/

LiveJournal asked me to grant identity validation for
http://return.to.com/, I said "Yes; just this time" and was sent to
http://return.to.com/?openid.mode=id_res&openid.identity=http://www.livejournal.com/users/myblogname/&openid.return_to=http://return.to.com/&openid.issued=another-date&openid.valid_to=yet-another-date&openid.assoc_handle=yadda&openid.signed=mode,identity,return_to,issued,valid_to&openid.sig=some-signature

At this point, I assumed that OpenID worked successfully, and I could
continue working on the consumer with my LJ URL.

Notice, though, that I DID NOT use the shared secret (from "mac_key")
anywhere. So what is this shared secret used for?

(BTW "consumer" is taken from the OpenID specs.)

TIA!
Yuhui


More information about the yadis mailing list