Inferring return_to

Paul Crowley paul at
Mon Jun 13 07:48:30 PDT 2005

When the consumer comes to verify a token, it must know the value of 
return_to used to build the token.  This won't be the URL of the request 
that passes the token to the client - that URL includes extra GET 
parameters like the signature itself.  So how should they infer it?

* if they don't add GET parameters before sending it, it's just the URL 
with no parameters
* if they do, they could include a special "sentinel" parameter, say 
"sentinel=true", and search for the first occurence of it
* The server could tell them the length of the return_to in the reply 
and they could truncate to that, but I worry about possible security 
implications of that strategy
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list