|
RelyingPartyDiscovery
Relying Party Discovery
Relying PartiesRelying Parties must publish their endpoints in order for the OpenID Providers to be able to verify authentication requests and prevent proxy attacks. The Yadis protocol and realm verification mechanisms are used for this purpose. See the section "Discovering OpenID Relying Parties" of the OpenID Authentication specification for details. Example: <Service xmlns="xri://$xrd*($v*2.0)"> <Type>http://specs.openid.net/auth/2.0/return_to</Type> <URI>http://consumer.example.com/return</URI> </Service> The RP should publish the above <service> element at their realm URL. All OpenID Authentication request sent by this RP should contain openid.return_to values matching the http://consumer.example.com/return realm. OpenID ProvidersValidation of openid.return_to values against Relying Party Discovery endpoints is enabled by default. This feature can be disabled with ServerManager.setEnforceRpId(false). |
Sign in to add a comment
I don't understand how RP discovery will work for RPs that are behind a firewall. For instance, my application is a private intranet-only app and has no public access.
Was this considered when adding the RP Discovery to the spec?
RP discovery won't work in that case.
Yes, this was considered. The fact remains that the RP identity cannot be confirmed in such cases (and thus certain proxy / XSS attacks cannot be ruled out), and it is up to each OP to decide how to proceed: deny authentication, warn their users of potential risks, etc.
Johnny
I am running the consumer servlet on my localhost, i get the error of "A Yadis Resource Descriptor URL MUST be an absolute URL and it must be HTTP or HTTPS; found: null"
I am inputting the user supplied identifier as -- https://www.google.com/accounts/o8/id
Does this mean that we cant run the servlet locally to get the response and get authenticated on google