On 13-07-22 06:47 AM, Sven Jacobs wrote:
> In the OpenID callback I receive the
> user's email address and use it to match it against local users and
> perform authorization.
Attributes in an openid response are self-asserted, so unless you have
other means of verifying that the user is actually the owner of the
provided email address, your accounts can be hijacked by anyone
declaring that they own a certain email address. (Some openid providers
do provide a "verified email" attribute, but this should be a conscious
decision on the RP side to trust such an assertion.)
RPs should identify the users by their identifier that comes in the
openid.claimed_id response field.
> So if the session has expired I take the "verified ID" from my custom
> cookie and perform an immediate request (see
>
http://openid.net/specs/openid-authentication-2_0.html#anchor28). As far
> as I understand it the setup is basically the same except
>
> manager.setImmediateAuth(true);
>
> So the OpenID URL is opened but instead of a permission dialog the
> callback URL is called immediately if the user has granted access for
> the application previously. However that means that every time a user
> opens the application and the session has expired, the OpenID popup
> window opens and immediately closes again.
>
> I wonder if it's possible to do the immediate request completely on the
> server-side without the browser redirection (invisible to the user)?
No, this needs to happen on the front channel, where the user's browser
can present the authentication cookie to the openid provider (if they
still have an active session there). You can put it in a hidden iframe.
Johnny