Shared secret -- what for?
Yuhui
yuhuibc at gmail.com
Thu Jul 14 21:10:05 PDT 2005
> For confirming, when the consumer gets a request to such a URL, that it
> *actually* came from the server in question. If you don't confirm that, you're
> allowing anyone to send you a properly formed request, and log in with whatever
> identity they want, regardless of whether they actually own the identity URL
> listed in the request.
>
> In other words, you've completely missed all the security portions of the
> protocol.
Hey Carl,
Ah, yes, I did not check openid.sig in the return URL. I hacked up a
simple PHP script to ensure that openid.sig = base64(HMAC(shared
secret, token string)). openid.sig verified beautifully!
Ok, I think I've got a hang of OpenID. Now, I shall see how I can apply it.
Thanks again, Carl!
Yuhui
More information about the yadis
mailing list