Shared secret -- what for?
yuhuibc at gmail.com
Wed Jul 13 23:35:31 PDT 2005
I'm intrigued in OpenID and its potential use in applications beyond
blogging. I've managed to wrap my head around the specs, except for
one part: the need for the shared secret.
To test that I understood how OpenID worked, I created an HTML page
(on my test consumer) with this simple form:
<form name="form1" id="form1" method="post"
<input name="openid.mode" type="text" id="openid.mode" value="associate" />
<input type="submit" name="Submit" value="Submit" id="Submit" />
After submitting the form, I got this response:
Then I manually constructed this URL:
LiveJournal asked me to grant identity validation for
http://return.to.com/, I said "Yes; just this time" and was sent to
At this point, I assumed that OpenID worked successfully, and I could
continue working on the consumer with my LJ URL.
Notice, though, that I DID NOT use the shared secret (from "mac_key")
anywhere. So what is this shared secret used for?
(BTW "consumer" is taken from the OpenID specs.)
More information about the yadis