tags:

views:

54

answers:

1

I am trying to validate using this parameters:

"openid.mode=check_authentication"
+ "&openid.assoc_handle=" + txtAssocHandle.Text
+ "&openid.response_nonce=" + HttpUtility.UrlEncode(txtNonce.Text)
+ "&openid.op_endpoint=" + txtEndpoint.Text
+ "&openid.sig=" + txtSignature.Text
+ "&openid.signed=mode,identity,return_to";

and it returns

is_valid:false ns:http://specs.openid.net/auth/2.0

what am I doing wrong here? the txt fields are being filled with login response values

A: 

Your openid.signed argument needs to be exactly what the OP sent to your RP rather than this incomplete hard-coded list of 3 parameters, for one thing. All your arguments should be URL encoded as well, not just your nonce.

There is a lot more to validating an OpenID token than just sending it back to the OP using "dumb mode". What are you trying to do?

Have you considered using an OpenID library? Seriously, getting OpenID right (meaning secure, and interoperable) is a big job. Way bigger than assembling just the right query string. :)

Andrew Arnott
I want user to login, then I take the token, pass it to a web service, then the web service must validate this token.I've tried this library, but I didn't find any help to validate the token.
tiagodll
Are you passing it to a web service *just* to validate the token, or because you're using the token to authorize a request that is made on the user's behalf?
Andrew Arnott
I am using the token as parameter for every method to verify if user is authorized to access that method.
tiagodll
actually, webservice must only verify if the user is logged in the openid server, because the authorization will be done in other way.
tiagodll
OpenID was *not* designed for this, and you'll run into trouble when you send the same OpenID assertion for more than one web service call since direct verification should only work *once* per assertion. What you're doing is really a scenario better covered by OAuth IMO.
Andrew Arnott