Hi, I've implementend openId login system on my site and it works ok, but when i compare what is send to openidprovider and back is different with that what is send by stackoverflow.com for example whis send s paramenter and token parameter? Are these parameteres custom parameters send by stackoverflow or dotnetopenid can sand them but you have to turn it on?
Is that token against CSRF attack?
OpenID allows for extra "callback" parameters to be included in the return_to URL, and dotnetopenid uses this facility to optimize the login experience. It's not for CSRF protection. It's just an optimization.
StackOverflow uses dotnetopenid 2.5.x, which adds a token parameter. The latest DotNetOpenAuth library does not add this parameter (although it can add others, depending on the features the RP requires).