Inferring return_to
Paul Crowley
paul at ciphergoth.org
Mon Jun 13 07:48:30 PDT 2005
When the consumer comes to verify a token, it must know the value of
return_to used to build the token. This won't be the URL of the request
that passes the token to the client - that URL includes extra GET
parameters like the signature itself. So how should they infer it?
* if they don't add GET parameters before sending it, it's just the URL
with no parameters
* if they do, they could include a special "sentinel" parameter, say
"sentinel=true", and search for the first occurence of it
* The server could tell them the length of the return_to in the reply
and they could truncate to that, but I worry about possible security
implications of that strategy
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list