1

I found this in another SO thread:

Steps:

  1. User connects to OpenID enabled website.
  2. User enters credential information.
  3. A POST is made with a BASE64 (website to provider)
  4. An answer is built (that contains expiration)
  5. The website redirects the user to the provider to login.
  6. User enters password and submit.
  7. Verification is done.
  8. Login!

How are step 6-8 secured? The way I see it, the client is authenticating with the provider and reporting back the result to our server.

What is stopping the client from faking the authentication result?

Community
  • 1
  • 1
Alwyn
  • 8,079
  • 12
  • 59
  • 107

1 Answers1

2

Primarily, the authentication result is cryptographically signed by the provider. There are also other security measures protecting against other attacks.

Quoting the OpenID 2.0 specification, section 11.:

When the Relying Party receives a positive assertion, it MUST verify the following before accepting the assertion:

  • The value of "openid.return_to" matches the URL of the current request (Section 11.1)
  • Discovered information matches the information in the assertion (Section 11.2)
  • An assertion has not yet been accepted from this OP with the same value for "openid.response_nonce" (Section 11.3)
  • The signature on the assertion is valid and all fields that are required to be signed are signed (Section 11.4)

The client can, of course, send a fake authentication result, but it won't pass verification.

Mewp
  • 4,715
  • 1
  • 21
  • 24