views:

87

answers:

1

I have an Open ID based authentication system on my site.

Occasionally users will have an account registered under [email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in.

When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id.

My question:

  • Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider?

For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate?

The spec is kind of tricky to understand

+1  A: 

Yes and no. No you shouldn't trust anything you get over the wire, including openid.op_endpoint. But if you are using a secure OpenID library, this parameter is verified before the user is ever allowed to log into your site. The OpenID spec does, in fact must, provide a way for this and other parameters to be verified and without verification the authentication protocol is worse than useless.

So, make sure your library is decent. Then yes, trust the openid.op_endpoint parameter. But not the one you get from the query string yourself, since OpenID messages can be POSTed to you, and the parameter would not show up in the query string. Worse, if you were to check the query string in this case, you'd probably be opening yourself up to a security hole where an attacker could add that parameter to the querystring and fool you while complying with the library's requirements. So it's best to use the API the library exposes to find out what the OP endpoint is.

As far as linking the accounts in this way, this is a good approach since Google will only send email addresses it knows are truly controlled by the user. If you've already required your user to go through an email verification step, then linking the account is safe. But if the email address you have for the user wasn't ever verified, then you must not link the accounts based on this match or I can hijack someone else's account by creating an account that has someone else's email address, and then wait for them to log in using OpenID and now I can get into their account.

Andrew Arnott
See my expanded question.
Sam Saffron
Hi Sam. The scenario you depict is certainly possible for an attacker to create. But a correctly implemented OpenID RP will not be fooled. A bunch of tests to see that an RP is not vulnerable to attacks like these is available here: http://test-id.org/RP/VerifyAssertionDiscovery.aspx
Andrew Arnott