Alwyn
Reputation: 8337
How is OpenId secure?
I found this in another SO thread:
Steps:
- User connects to OpenID enabled website.
- User enters credential information.
- A POST is made with a BASE64 (website to provider)
- An answer is built (that contains expiration)
- The website redirects the user to the provider to login.
- User enters password and submit.
- Verification is done.
- Login!
How are step 6-8 secured? The way I see it, the client is authenticating with the provider and reporting back the result to our server.
What is stopping the client from faking the authentication result?
Upvotes: 1
Views: 95
Answers (1)
Mewp
Reputation: 4715
Primarily, the authentication result is cryptographically signed by the provider. There are also other security measures protecting against other attacks.
Quoting the OpenID 2.0 specification, section 11.:
When the Relying Party receives a positive assertion, it MUST verify the following before accepting the assertion:
- The value of "openid.return_to" matches the URL of the current request (Section 11.1)
- Discovered information matches the information in the assertion (Section 11.2)
- An assertion has not yet been accepted from this OP with the same value for "openid.response_nonce" (Section 11.3)
- The signature on the assertion is valid and all fields that are required to be signed are signed (Section 11.4)
The client can, of course, send a fake authentication result, but it won't pass verification.
Upvotes: 2
Related Questions
- How does OpenID authentication work?
- What reasons are there NOT to use OpenID?
- Open ID as internal authentication mechanism
- How does OpenID work?
- Secure OpenID user authentication
- Why should I use OpenID for Authentication rather than OAuth?
- What might solve OpenID's security problems
- OpenID, how open is it?
- How safe is openID?
- What are the advantages and disadvantages to using OpenID?