Hi Hubert - RP Realm verification should be done by the OP before returning the assertion to the RP. Depending on the OP's security policies, the OP may want to warn the user, or even block the request if the return_to for the realm can't be verified.
It might makes sense for the OP to verify the realm prior to authenticating the user, since it makes sense to detect the realm mismatch as early in the request lifecycle as possible. For instance - the OP could display a warning or error to the user before the user even logs in to the OP. In Yahoo's case, we do the verification and cache the result so that it can be reused for multiple requests. As Andrew mentioned, we cache the result for an hour. We have seen some issues with data freshness when RPs change their return_to URLs. Thanks Allen On 1/15/10 5:33 PM, "Andrew Arnott" <[email protected]> wrote: > Ya, you're free to do RP verification before or after authentication. > In fact some major OPs like Yahoo cache the results for 1 hour and > thus don't actually perform RP verification most times at all (if it's > in their cache) > > On Friday, January 15, 2010, Hubert Le Van Gong > <[email protected]> wrote: >> Greetings, >> Is it correct to say the spec (2.0) does not mandate a specific momentin the >> protocol at which the RP/realm validation should occur?For instance, the OP >> could first authenticate the user and thenperform RP verification or it could >> do that validation before authenticatingthe user. Although the latter seems >> more intuitive (and efficient) would bothbe compliant? >> Cheers,Hubert >> >> >> --Hubert A. Le Van GongIdentity ArchitectSun microsystems, Inc. >> >> 17 Rue DupreyGrenoble, 38000France >> --------------------------------------------------email: hubert.levang...@sun >> .COMtel:+33 4 7663 0935blog: http://blog.levangong.com/ >> N 45 11.900'W 005 44.145'Elev. 736 ft. >> >> _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
