Shared secret -- what for?

Yuhui yuhuibc at
Thu Jul 14 21:10:05 PDT 2005

> For confirming, when the consumer gets a request to such a URL, that it
> *actually* came from the server in question.  If you don't confirm that, you're
> allowing anyone to send you a properly formed request, and log in with whatever
> identity they want, regardless of whether they actually own the identity URL
> listed in the request.
> In other words, you've completely missed all the security portions of the
> protocol.

Hey Carl,

Ah, yes, I did not check openid.sig in the return URL. I hacked up a
simple PHP script to ensure that openid.sig = base64(HMAC(shared
secret, token string)). openid.sig verified beautifully!

Ok, I think I've got a hang of OpenID. Now, I shall see how I can apply it.

Thanks again, Carl!


More information about the yadis mailing list