OpenID 2.0 security considerations
Kevin Turner
kevin at janrain.com
Thu Aug 24 20:41:22 UTC 2006
On Wed, 2006-08-23 at 22:34 -0700, Dick Hardt wrote:
> Smart mode is hard to do with a Rich Client acting as the IdP. I
> don't think an IdP should be required to do smart mode.
Assuming signed messages[1], normal mode and stateless mode differ
mostly in that one makes an "associate" request and the other makes a
"check_authentication" request. But these are both direct RP to IdP
requests and both flows result in equivalent assertions, so it seems to
me that they pose equivalent obstacles in terms of moving the IdP to a
rich client.
What am I missing?
[1]: which seems a safe assumption, as signing "id_res" messages is
required for all currently specified forms of OpenID.
More information about the yadis
mailing list