I have an Open ID based authentication system on my site.
Occasionally users will have an account registered under [email protected]
and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id
, in this case I would like to automatically associate the account and log them in.
When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id
.
My question:
- Can I trust
openid.op_endpoint
to be correct? Can this be spoofed somehow by a malicious openid provider?
For illustration, lets say someone types in http://evil.org
as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint
is google? Do I need to store extra information against the nonce to validate?
The spec is kind of tricky to understand