I'm trying to add authorization throw google openid to my users. I'm receiving id (https://www.google.com/accounts/o8/id?id=AIt...Ew-Bo) but how can i check that it's legit. I mean user can create malicious request with email of another user, how can i check that returning email and claimed id is legit?
+1
A:
Google's OpenID (Google Apps for Domains OpenID excepted) is just standard OpenID. You should take all the precautions that any other OpenID requires to make sure the assertion is legit. You're right... anyone can craft an OpenID positive assertion to fool your RP unless your RP verifies the signature, performs discovery on the identifier and matches the authorized OP Endpoint for that identifier with the one that signed the response.
As for whether you can trust the email address, that's up to you. You can choose to trust the Google OP endpoint, and then you know.
Andrew Arnott
2010-06-03 03:09:24
+1
A:
Rather than trying to implement discovery and signature verification by yourself, you really ought to use one of the many libraries that have already been created for this purpose. Here are a bunch for various programming languages:
Forest
2010-06-05 06:29:26