Re: [dotnetopenauth] disable dumb mode at OP side

[Andrew Arnott]

I don't think there is a switch to do that, although it could be easily added.

Can you elaborate on your scenario?  What are you trying to achieve by this?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

On Sun, Aug 5, 2012 at 9:34 PM, cxwl3sxl <cxwl...@gmail.com> wrote:

Hi Guys,
we are use DotNetOpenAuth to build OP site, but how can i disable dumb mode at OP side, because we only want RP call us use smart mode.
i had googled, but got no answer.

thanks.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/_zhHKFBQk_kJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

[cxwl3sxl]

there 7 steps for one request, but the 3th is optional(http://openid.net/specs/openid-authentication-2_0.html#anchor2), now i want make step 3 is required, because i want to check RP is trusted or not at step 3!

在 2012年8月6日星期一UTC+8下午12时43分45秒，Andrew Arnott写道：

I don't think there is a switch to do that, although it could be easily added.

Can you elaborate on your scenario?  What are you trying to achieve by this?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

On Sun, Aug 5, 2012 at 9:34 PM, cxwl3sxl <cxwl...@gmail.com> wrote:

Hi Guys,
we are use DotNetOpenAuth to build OP site, but how can i disable dumb mode at OP side, because we only want RP call us use smart mode.
i had googled, but got no answer.

thanks.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/_zhHKFBQk_kJ.
To post to this group, send email to dotnet...@googlegroups.com.

To unsubscribe from this group, send email to dotnetopenid+unsubscribe@googlegroups.com.

[Andrew Arnott]

So you want to only interact with RPs you trust.  That's a perfectly fine request.  But making step 3 a mandatory step will not accomplish that.  The RP is not identified to the OP during this step, so you couldn't decide whether you trust the RP at that point.

Instead, on step 5, the OP can look at the openid.realm parameter (via the IHostProcessedRequest.Realm property) when the user is redirectd to the Provider to determine whether you want to honor the request or reject with a "untrusted RP" error.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/0VcyYcP7AioJ.

To post to this group, send email to dotnet...@googlegroups.com.

To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.

[cxwl3sxl]

sorry, the previous reply is not clear, my question was how to disable dumb mode, and if step 3 is missed, openauth will processed by dumb mode, so i want step 3 become to not optional,my solution is check openid.assoc_handle is exist or not at step 4, but i'm not sure it's correct or not.

在 2012年8月9日星期四UTC+8上午2时45分06秒，Andrew Arnott写道：

So you want to only interact with RPs you trust.  That's a perfectly fine request.  But making step 3 a mandatory step will not accomplish that.  The RP is not identified to the OP during this step, so you couldn't decide whether you trust the RP at that point.

Instead, on step 5, the OP can look at the openid.realm parameter (via the IHostProcessedRequest.Realm property) when the user is redirectd to the Provider to determine whether you want to honor the request or reject with a "untrusted RP" error.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

On Sun, Aug 5, 2012 at 11:20 PM, cxwl3sxl <cxwl...@gmail.com> wrote:

there 7 steps for one request, but the 3th is optional(http://openid.net/specs/openid-authentication-2_0.html#anchor2), now i want make step 3 is required, because i want to check RP is trusted or not at step 3!

在 2012年8月6日星期一UTC+8下午12时43分45秒，Andrew Arnott写道：

I don't think there is a switch to do that, although it could be easily added.

Can you elaborate on your scenario?  What are you trying to achieve by this?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

On Sun, Aug 5, 2012 at 9:34 PM, cxwl3sxl <cxwl...@gmail.com> wrote:

Hi Guys,
we are use DotNetOpenAuth to build OP site, but how can i disable dumb mode at OP side, because we only want RP call us use smart mode.
i had googled, but got no answer.

thanks.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/_zhHKFBQk_kJ.
To post to this group, send email to dotnet...@googlegroups.com.

To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.

[Andrew Arnott]

I understood that you wanted to disable dumb mode.  But your reason for doing so (only interacting with RPs you trust) was not going to be satisfied by disabling dumb mode.  This is what I tried to explain in my last email.  

Checking whether openid.assoc_handle exists is not a valid way to disallow dumb mode.  There are a few different reasons why that parameter may still be present yet the RP and OP subsequently act in a 'dumb mode' flow.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/XMAxabNSPaIJ.

[cxwl3sxl]

In my view, RP's assoc_handle value is come from OP, so if RP got a value that can not found in OP(include null), we should reject this request, then i can tell RP that you must do association first. i dont know this is ok or not, if not can you give me some suggestion about disable dumb mode? thanks.

在 2012年8月16日星期四UTC+8上午2时09分04秒，Andrew Arnott写道：

[Andrew Arnott]

The assoc_handle isn't confidential, so an RP could use an assoc_handle that an attacker observed the OP issue to a different RP.  Again, you can't make security decisions based on assoc_handle in this manner.  Also, even if the assoc_handle was valid and from the right RP, dumb mode may still be used if the assoc_handle expires while the user is authenticating and approving at the OP.

I asked you earlier what you were really trying to accomplish by disabling dumb mode and I believe you said that you were trying to make it so that your OP only issued authentications to certain whitelisted RPs.  That's fine, and I gave you a suggestion on how to do that (that didn't involve dumb mode restrictions) in my earlier response to you.  If that is not what you're trying to accomplish, please tell me why you want to disable dumb mode.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/RNBvn4MLHd8J.