1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>OpenID Authentication 1.1</title>
<meta http-equiv="Expires" content="Tue, 13 Jun 2006 19:04:16 +0000">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Authentication 1.1">
<meta name="generator" content="xml2rfc v1.30 (http://xml.resource.org/)">
<style type="text/css">
<!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
margin: 2em;
font-size: small ; color: #000000 ; background-color: #ffffff ; }
.title { color: #990000; font-size: x-large ;
font-weight: bold; text-align: right;
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
background-color: transparent; }
.filename { color: #666666; font-size: 18px; line-height: 28px;
font-weight: bold; text-align: right;
font-family: helvetica, arial, sans-serif;
background-color: transparent; }
td.rfcbug { background-color: #000000 ; width: 30px ; height: 30px ;
text-align: justify; vertical-align: middle ; padding-top: 2px ; }
td.rfcbug span.RFC { color: #666666; font-weight: bold; text-decoration: none;
background-color: #000000 ;
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-size: x-small ; }
td.rfcbug span.hotText { color: #ffffff; font-weight: normal; text-decoration: none;
text-align: center ;
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-size: x-small ; background-color: #000000; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
div#counter{margin-top: 100px}
a.info{
position:relative; /*this is the key*/
z-index:24;
text-decoration:none}
a.info:hover{z-index:25; background-color:#990000 ; color: #ffffff ;}
a.info span{display: none}
a.info:hover span.info{ /*the span will display just on :hover state*/
display:block;
position:absolute;
font-size: smaller ;
top:2em; left:2em; width:15em;
padding: 2px ;
border:1px solid #333333;
background-color:#eeeeee; color:#990000;
text-align: left ;}
A { font-weight: bold; }
A:link { color: #990000; background-color: transparent ; }
A:visited { color: #333333; background-color: transparent ; }
A:active { color: #333333; background-color: transparent ; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small ; }
p.toc { font-size: small ; font-weight: bold ; margin-left: 3em ;}
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
span.emph { font-style: italic; }
span.strong { font-weight: bold; }
span.verb, span.vbare { font-family: "Courier New", Courier, monospace ; }
span.vemph { font-style: italic; font-family: "Courier New", Courier, monospace ; }
span.vstrong { font-weight: bold; font-family: "Courier New", Courier, monospace ; }
span.vdeluxe { font-weight: bold; font-style: italic; font-family: "Courier New", Courier, monospace ; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
pre { margin-left: 3em; color: #333333; background-color: transparent;
font-family: "Courier New", Courier, monospace ; font-size: small ;
text-align: left;
}
h3 { color: #333333; font-size: medium ;
font-family: helvetica, arial, sans-serif ;
background-color: transparent; }
h4 { font-size: small; font-family: helvetica, arial, sans-serif ; }
table.bug { width: 30px ; height: 15px ; }
td.bug { color: #ffffff ; background-color: #990000 ;
text-align: center ; width: 30px ; height: 15px ;
}
td.bug A.link2 { color: #ffffff ; font-weight: bold;
text-decoration: none;
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-size: x-small ; background-color: transparent }
td.header { color: #ffffff; font-size: x-small ;
font-family: arial, helvetica, sans-serif; vertical-align: top;
background-color: #666666 ; width: 33% ; }
td.author { font-weight: bold; margin-left: 4em; font-size: x-small ; }
td.author-text { font-size: x-small; }
table.full { vertical-align: top ; border-collapse: collapse ;
border-style: solid solid solid solid ;
border-color: black black black black ;
font-size: small ; text-align: center ; }
table.headers, table.none { vertical-align: top ; border-collapse: collapse ;
border-style: none;
font-size: small ; text-align: center ; }
table.full th { font-weight: bold ;
border-style: solid ;
border-color: black black black black ; }
table.headers th { font-weight: bold ;
border-style: none none solid none;
border-color: black black black black ; }
table.none th { font-weight: bold ;
border-style: none; }
table.full td {
border-style: solid solid solid solid ;
border-color: #333333 #333333 #333333 #333333 ; }
table.headers td, table.none td { border-style: none; }
hr { height: 1px }
-->
</style></head><body>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<table summary="layout" border="0" cellpadding="0" cellspacing="0" width="66%"><tbody><tr><td><table summary="layout" border="0" cellpadding="2" cellspacing="1" width="100%">
<tbody><tr><td class="header"> </td><td class="header">D. Recordon</td></tr>
<tr><td class="header"> </td><td class="header">B. Fitzpatrick</td></tr>
<tr><td class="header"> </td><td class="header">May 2006</td></tr>
</tbody></table></td></tr></tbody></table>
<div align="right"><span class="title"><br>OpenID Authentication 1.1</span></div>
<h3>Abstract</h3>
<p>OpenID Authenticaion provides a way to prove that an End User
owns an Identity URL. It does this without passing around their
password, email address, or anything they don't want it
to.
</p>
<p>OpenID is completely decentralized meaning that anyone
can choose to be a Consumer or Identity Provider without having
to register or be approved by any central authority. End User's
can pick which Identity Provider they wish to use and preserve
their Identity as they move between Providers.
</p>
<p>While nothing in the protocol requires JavaScript or modern
browsers, the authentication scheme plays nicely with
"AJAX"-style setups, so an End User can prove their Identity to
a Consumer without having to leave the page they are on.
</p>
<p>The OpenID Authentication specification does not provide any
mechanism to exchange profile information, though Consumers of
an Identity can learn more about an End User from any public,
semantically interesting documents linked thereunder (FOAF, RSS,
Atom, vCARD, etc.). Extensions are being built on top of the
foundation created by OpenID Authentication to provide
mechanisms to exchange profile information.
</p><a name="toc"></a><br><hr>
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Requirements Notation<br>
<a href="#anchor2">2.</a>
Terminology<br>
<a href="#anchor3">3.</a>
Overview<br>
<a href="#anchor4">3.1.</a>
Transforming a HTML Document Into an Identifier<br>
<a href="#delegating_authentication">3.1.1.</a>
Delegating Authentication<br>
<a href="#anchor6">3.2.</a>
Submitting a Claimed Identifier<br>
<a href="#anchor8">3.3.</a>
Consumer Site Fetches the Identifier URL<br>
<a href="#smart_vs_dumb">3.4.</a>
Smart vs Dumb Mode<br>
<a href="#anchor11">3.5.</a>
Consumer Verifies the Identifier<br>
<a href="#anchor12">4.</a>
Modes<br>
<a href="#mode_associate">4.1.</a>
associate<br>
<a href="#anchor13">4.1.1.</a>
Request Parameters<br>
<a href="#anchor14">4.1.2.</a>
Response Parameters<br>
<a href="#anchor15">4.1.3.</a>
Extra Notes<br>
<a href="#mode_checkid_immediate">4.2.</a>
checkid_immediate<br>
<a href="#anchor16">4.2.1.</a>
Request Parameters<br>
<a href="#anchor17">4.2.2.</a>
Response Parameters<br>
<a href="#anchor21">4.2.3.</a>
Extra Notes<br>
<a href="#mode_checkid_setup">4.3.</a>
checkid_setup<br>
<a href="#anchor22">4.3.1.</a>
Request Parameters<br>
<a href="#anchor23">4.3.2.</a>
Respone Parameters<br>
<a href="#anchor26">4.3.3.</a>
Extra Notes<br>
<a href="#mode_check_authentication">4.4.</a>
check_authentication<br>
<a href="#anchor27">4.4.1.</a>
Request Parameters<br>
<a href="#anchor28">4.4.2.</a>
Response Parameters<br>
<a href="#anchor29">4.4.3.</a>
Extra Notes<br>
<a href="#anchor30">5.</a>
Security Considerations<br>
<a href="#defaults">Appendix A.</a>
Default Values<br>
<a href="#pvalue">Appendix A.1.</a>
Diffie-Hellman P Value<br>
<a href="#anchor31">Appendix B.</a>
Error Responses<br>
<a href="#anchor32">Appendix C.</a>
Key-Value Format<br>
<a href="#limits">Appendix D.</a>
Limits<br>
<a href="#anchor33">Appendix E.</a>
Misc<br>
<a href="#rfc.references1">6.</a>
Normative References<br>
<a href="#rfc.authors">§</a>
Authors' Addresses<br>
</p>
<br clear="all">
<a name="anchor1"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.1"></a><h3>1. Requirements Notation</h3>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in <a class="info" href="#RFC2119">[RFC2119]<span> (</span><span class="info">Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels,” .</span><span>)</span></a>.
</p>
<a name="anchor2"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.2"></a><h3>2. Terminology</h3>
<p>
</p>
<blockquote class="text"><dl>
<dt>End User:</dt>
<dd>The actual human user who wants to
prove their Identity to a Consumer.
</dd>
<dt>Identifier:</dt>
<dd>An Identifier is just a URL. The whole
flow of the OpenID Authentication protocol is about proving
that an End User is, owns, a URL.
</dd>
<dt>Claimed Identifier:</dt>
<dd>An Identifier that the End
User says they own, though that has not yet been verified by
the Consumer.
</dd>
<dt>Verified Identifier:</dt>
<dd>An Identifier that the
End User has proven to a Consumer that they own.
</dd>
<dt>Consumer:</dt>
<dd>A web service that wants proof that
the End User owns the Claimed Identifier.
</dd>
<dt>Identity Provider:</dt>
<dd>Also called "IdP" or
"Server". This is the OpenID Authentication server
that a Consumer contacts for cryptographic proof that the
End User owns the Claimed Identifier.
<br>
How the End User authenticates to their Identity Provider is
outside of the scope of OpenID Authenticaiton.
</dd>
<dt>User-Agent:</dt>
<dd>The End User's web browser. No
special plug-ins or JavaScript required.
</dd>
</dl></blockquote><p>
</p>
<a name="anchor3"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3"></a><h3>3. Overview</h3>
<a name="anchor4"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.1"></a><h3>3.1. Transforming a HTML Document Into an Identifier</h3>
<p>In order for a Consumer to know the Identity Provider
authoritative for an Identifier, the End User must add markup to
the HEAD section of the HTML document located at their
URL. The host of the HTML document is NOT REQUIRED to also be
the End User's Identity Provider; the Identifier URL and
Identity Provider can be fully decoupled services.
</p>
<p>To use http://example.com/ as the End User's Identifier
http://openid.example.com as their Identity Provider, the
following tag would be added to the HEAD section of the HTML
document returned when fetching their Identifier URL.
</p>
<p><link rel="openid.server"
href="http://openid.example.com/">
</p>
<a name="delegating_authentication"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.1.1"></a><h3>3.1.1. Delegating Authentication</h3>
<p>If the End User's host is not capable of running an
Identity Provider, or the End User wishes to use one running
on a different host, they will need to delegate their
authentication. For example, if they want to use their
website, http://www.example.com/, as their Identifier, but
don't have the means, or desire, to run an Identity
Provider.
</p>
<p>If they have a LiveJournal account (say, user
"exampleuser"), and know that LiveJournal provides an OpenID
Identity Provider and that it'll assert that they control
the Identifier http://exampleuser.livejournal.com/ they would
be able to delegate their authentication to LiveJournal's
Identity Provider..
</p>
<p>So, to use www.example.com as their Identifier, but have
Consumers actually verify
http://exampleuser.livejournal.com/ with the Identity
Provider located at
http://www.livejournal.com/openid/server.bml, they'd add the
following tags to the HEAD section of the HTML document
returned when fetching their Identifier URL.
</p>
<p><link rel="openid.server"
href="http://www.livejournal.com/openid/server.bml">
</p>
<p><link rel="openid.delegate"
href="http://exampleuser.livejournal.com/">
</p>
<p>Now, when a Consumer sees that, it'll talk to
http://www.livejournal.com/openid/server.bml and ask if
the End User is exampleuser.livejournal.com, never mentioning
www.example.com anywhere on the wire.
</p>
<p>The main advantage of this is that an End User can keep
their Identifier over many years, even as services come and
go; they'll just keep changing who they delegate to.
</p>
<a name="anchor5"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.1.2"></a><h3>3.1.2. Important Notes</h3>
<p>
</p>
<ul class="text">
<li>The declared openid.server URL MAY contain existing
query parameters and they MUST be properly preserved when
appending extra query parameters. For example, not adding
a second question mark if one already exists.
</li>
<li>The openid.server and openid.delegate URLs MUST
be absolute URLs. Consumers MUST NOT attempt to
resolve relative URLs.
</li>
<li>The openid.server and openid.delegate URLs MUST
NOT include entities other than &, <, >,
and ". Other characters that would not be
valid in the HTML document or that cannot be
represented in the document's character encoding
MUST be escaped using the %xx mechanism as described
in <a class="info" href="#RFC2396">[RFC2396]<span> (</span><span class="info">Berners-Lee, T., “Uniform Resource Identifiers (URI): Generic Syntax,” .</span><span>)</span></a>.
</li>
</ul><p>
</p>
<a name="anchor6"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.2"></a><h3>3.2. Submitting a Claimed Identifier</h3>
<p>Continuing this example, the End User visits a Consumer
site which supports OpenID Authentication. The Consumer
presents the End User with a form field for them to enter
their Identifier URL.
</p>
<p>
</p><p>For Example:
</p><pre> ----------------------------------
|[logo]example.com | [Login Button]
----------------------------------
</pre>
<a name="anchor7"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.2.1"></a><h3>3.2.1. Important Notes</h3>
<p>
</p>
<ul class="text">
<li>It is RECOMMENDED that every Consumer place the
<a href="http://openid.net/login-bg.gif">OpenID
logo</a> at the beginning of the form field where the
End User enters their Identifier URL.
</li>
<li>The End User is NOT REQUIRED to prefix
their Identifier URL with "http://" or postfix it with a
trailing slash. Consumers MUST canonicalize the Identifier
URL, following redirects, and note the final URL.
The final, canonicalized URL is the End User's
Identifier.
</li>
<li>It is RECOMMENDED that the form field be named
"openid_url" so User-Agent's will auto-complete the End
User's Identifier URL in the same way the eCommerce world
tends to use conventions like "address1" and
"address2".
</li>
</ul><p>
</p>
<a name="anchor8"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.3"></a><h3>3.3. Consumer Site Fetches the Identifier URL</h3>
<p>Now the Consumer site fetchs the document located at the End
User's Claimed Identifier. The Consumer then parses the HEAD
section for the "openid.server" and the optional
"openid.delegate" declarations.
</p>
<a name="anchor9"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.3.1"></a><h3>3.3.1. Important Notes</h3>
<p>
</p>
<ul class="text">
<li>The End User could be malicious and try to make the
Consumer connect to an internal network, tarpit, etc. It
is RECOMMENDED that Consumers use a paranoid HTTP library like <a href="http://search.cpan.org/%7Ebradfitz/LWPx-ParanoidAgent-1.02/lib/LWPx/ParanoidAgent.pm">LWPx::ParanoidAgent</a> that protects against these sorts of attacks.
</li>
<li>Consumers MUST implement support for <a class="info" href="#delegating_authentication">Delegation<span> (</span><span class="info">Delegating Authentication</span><span>)</span></a>.
</li>
</ul><p>
</p>
<a name="smart_vs_dumb"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.4"></a><h3>3.4. Smart vs Dumb Mode</h3>
<p>OpenID Authentication supports both a "smart mode" and
"dumb mode" to accomodate Consumers of differing
capabilities. A smart Consumer does a little more work at the
beginning to save itself work later, but requires local
caching of state information. A dumb Consumer is completely
stateless, but requires extra an HTTP request.
</p>
<a name="anchor10"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.4.1"></a><h3>3.4.1. Important Notes for Smart Mode</h3>
<p>
</p>
<ul class="text">
<li>It's RECOMMENDED that a Consumer first submit an
<a class="info" href="#mode_associate">associate request<span> (</span><span class="info">associate</span><span>)</span></a>
to the End User's Identity Provider and request a shared
secret if the Consumer does not already have one
cached. This shared secret SHOULD be used as the
HMAC-SHA1 key in future identity check requests until it
expires.
</li>
<li>The shared secret can be exchanged either in
plain-text or encrypted with a Diffie-Hellman-negotiated
secret. Note that if Diffie-Hellman is used, it's only
used in the associate mode. The <a class="info" href="#mode_checkid_immediate">checkid_immediate<span> (</span><span class="info">checkid_immediate</span><span>)</span></a>
and <a class="info" href="#mode_checkid_setup">checkid_setup<span> (</span><span class="info">checkid_setup</span><span>)</span></a>
modes assume the Consumer already has a shared secret,
regardless of how it got it.
</li>
</ul><p>
</p>
<a name="anchor11"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.3.5"></a><h3>3.5. Consumer Verifies the Identifier</h3>
<p>The Consumer now constructs a URL to the Identity
Provider's <a class="info" href="#mode_checkid_immediate">checkid_immediate<span> (</span><span class="info">checkid_immediate</span><span>)</span></a> (or
<a class="info" href="#mode_checkid_setup">checkid_setup<span> (</span><span class="info">checkid_setup</span><span>)</span></a>) URLs
and sends the User-Agent to it.
</p>
<p>By sending the User-Agent there, the End User's cookies and
whatever other login credentials are sent back to their
trusted Identity Provider. The Identity Provider does its
work, appends its response onto the supplied openid.return_to
URL, and sends the User-Agent back to the Consumer.
</p>
<a name="anchor12"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4"></a><h3>4. Modes</h3>
<a name="mode_associate"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.1"></a><h3>4.1. associate</h3>
<p>
</p>
<ul class="text">
<li>Description: Establish a shared secret between Consumer
and Identity Provider.
</li>
<li>HTTP method: POST
</li>
<li>Flow: Consumer -> IdP -> Consumer
</li>
</ul><p>
</p>
<a name="anchor13"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.1.1"></a><h3>4.1.1. Request Parameters</h3>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "associate"
</p>
</blockquote>
</li>
<li>
openid.assoc_type
<blockquote class="text">
<p>Value: Preferred association type
</p>
<p>Default: "HMAC-SHA1"
</p>
<p>Note: Optional; Currently only one value.
</p>
</blockquote>
</li>
<li>
openid.session_type
<blockquote class="text">
<p>Value: Blank or "DH-SHA1"
</p>
<p>Default: Blank. (cleartext)
</p>
<p>Note: It is RECOMMENDED that DH-SHA1 mode is used
to encrypt the shared secret.
</p>
</blockquote>
</li>
<li>
openid.dh_modulus
<blockquote class="text">
<p>Value: base64(btwoc(p))
</p>
<p>Note: See <a class="info" href="#pvalue">Appendix A.1<span> (</span><span class="info">Diffie-Hellman P Value</span><span>)</span></a> for default p value.
</p>
</blockquote>
</li>
<li>
openid.dh_gen
<blockquote class="text">
<p>Value: base64(btwoc(g))
</p>
<p>Default: g = 2
</p>
<p>Note: Only if using DH-SHA1 session_type. Should
be specified if openid.dh_modulus is specified.
</p>
</blockquote>
</li>
<li>
openid.dh_consumer_public
<blockquote class="text">
<p>Value: base64(btwoc(g ^ x mod p))
</p>
<p>Note: REQUIRED if using DH-SHA1 session_type.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor14"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.1.2"></a><h3>4.1.2. Response Parameters</h3>
<p>Response format: Key-Value Pairs
</p>
<p>
</p>
<ul class="text">
<li>
assoc_type
<blockquote class="text">
<p>Value: The association type for the returned handle.
</p>
<p>Note: The only current mode is HMAC-SHA1, and all
Consumers MUST support it. When caching, the
Consumer MUST map an assoc_handle to both its secret
and its assoc_type.
</p>
</blockquote>
</li>
<li>
assoc_handle
<blockquote class="text">
<p>Value: The association handle to be provided in future
transactions.
</p>
<p>Note: Consumers MUST NOT reuse this association
handle after the corresponding expires_in value.
</p>
</blockquote>
</li>
<li>
expires_in
<blockquote class="text">
<p>Value: The number of seconds this association
handle is good for in base10 ASCII.
</p>
</blockquote>
</li>
<li>
session_type
<blockquote class="text">
<p>Value: The encryption mode that the Provider chose. MAY be
blank, absent, or "DH-SHA1".
</p>
</blockquote>
</li>
<li>
dh_server_public
<blockquote class="text">
<p>Value: base64(btwoc(g ^ y mod p))
</p>
<p>Description: The Provider's <a class="info" href="#RFC2631">Diffie-Hellman public key<span> (</span><span class="info">Rescorla, E., “Diffie-Hellman Key Agreement Method,” .</span><span>)</span></a> [RFC2631], if
using DH-SHA1.
</p>
</blockquote>
</li>
<li>
enc_mac_key
<blockquote class="text">
<p>Value: base64(SHA1(btwoc(g ^ (xy) mod p)) XOR secret(assoc_handle))
</p>
<p>Description: The encrypted shared secret, if using
DH-SHA1.
</p>
</blockquote>
</li>
<li>
mac_key
<blockquote class="text">
<p>Value: base64(secret(assoc_handle))
</p>
<p>Description: The plaintext shared secret, if not
using DH-SHA1.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor15"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.1.3"></a><h3>4.1.3. Extra Notes</h3>
<p>
</p>
<ul class="text">
<li>A Consumer can ask a server for DH-SHA1 encryption and
get back a plaintext secret. If this troubles you, don't
use the handle and instead use dumb mode with that
Identity Provider.
<br>
<br>
If somebody sniffed the plaintext secret, it won't
matter, since you'll never accept queries using that
association handle. If the Identity Provider can't do
DH-SHA1, it's probably limited in some way, but using
dumb mode is still safe, if not a little slower.
</li>
<li>If the Identity Provider chooses the server private
key 1 <= y < p-1. The shared DH-SHA1 secret is
thus g ^ xy mod p = (g ^ x) ^ y mod p = (g ^ y) ^ x mod
p. For more information, read the <a href="http://search.cpan.org/%7Ebtrott/Crypt-DH-0.06/lib/Crypt/DH.pm">Crypt::DH docs.</a>
</li>
<li>The underlying mac_key MUST be the same length as the
output of H, the hash function - in this instance, 160
bits (20 bytes) for DH-SHA1.
</li>
<li>If the Provider does not support DH-SHA1, they WILL ignore
the DH-SHA1 fields in the request and reply exactly as to a
non-DH-SHA1 request.
</li>
<li>When using DH-SHA1, the resulting key SHOULD be treated
as a binary string.
</li>
<li>Most integers are represented in big-endian signed two's
complement, Base64 encoded. In other words, btwoc is a
function that takes a bigint and returns its shortest
big-endian two's complement notation
</li>
</ul><p>
</p>
<a name="mode_checkid_immediate"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2"></a><h3>4.2. checkid_immediate</h3>
<p>
</p>
<ul class="text">
<li>Description: Ask an Identity Provider if a End User owns the
Claimed Identifier, getting back an immediate "yes" or "can't say"
answer.
</li>
<li>HTTP method: GET
</li>
<li>Flow: Consumer -> User-Agent -> IdP -> User-Agent ->
Consumer
</li>
</ul><p>
</p>
<a name="anchor16"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2.1"></a><h3>4.2.1. Request Parameters</h3>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "checkid_immediate"
</p>
</blockquote>
</li>
<li>
openid.identity
<blockquote class="text">
<p>Value: Claimed Identifier
</p>
</blockquote>
</li>
<li>
openid.assoc_handle
<blockquote class="text">
<p>Value: The assoc_handle from the associate request.
</p>
<p>Note: Optional; Consumer MUST use
check_authentication if an association handle isn't
provided or the Identity Provider feels it is invalid.
</p>
</blockquote>
</li>
<li>
openid.return_to
<blockquote class="text">
<p>Value: URL where the Provider SHOULD return the
User-Agent back to.
</p>
</blockquote>
</li>
<li>
openid.trust_root
<blockquote class="text">
<p>Value: URL the Provider SHALL ask the End User to trust.
</p>
<p>Default: return_to URL
</p>
<p>Optional; the URL which the End User SHALL
actually see to approve.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor17"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2.2"></a><h3>4.2.2. Response Parameters</h3>
<p>Response format: query string arguments
</p>
<a name="anchor18"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2.2.1"></a><h3>4.2.2.1. Always Sent</h3>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "id_res"
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor19"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2.2.2"></a><h3>4.2.2.2. Sent on Failed Assertion</h3>
<p>
</p>
<ul class="text">
<li>
openid.user_setup_url
<blockquote class="text">
<p>Value: URL to redirect User-Agent to so the End
User can do whatever's necessary to fulfill the
assertion.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor20"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2.2.3"></a><h3>4.2.2.3. Sent on Positive Assertion</h3>
<p>
</p>
<ul class="text">
<li>
openid.identity
<blockquote class="text">
<p>Value: Verified Identifier
</p>
</blockquote>
</li>
<li>
openid.assoc_handle
<blockquote class="text">
<p>Value: Opaque association handle being used to
find the HMAC key for the signature.
</p>
</blockquote>
</li>
<li>
openid.return_to
<blockquote class="text">
<p>Value: Verbatim copy of the return_to URL
parameter sent in the request, before the Provider
modified it.
</p>
</blockquote>
</li>
<li>
openid.signed
<blockquote class="text">
<p>Value: Comma-seperated list of signed fields.
</p>
<p>Note: Fields without the "openid." prefix that
the signature covers. For example,
"mode,identity,return_to".
</p>
</blockquote>
</li>
<li>
openid.sig
<blockquote class="text">
<p>Value: base64(HMAC(secret(assoc_handle), token_contents)
</p>
<p>Note: Where token_contents is a key-value
format string of all the signed keys and values in
this response. They MUST be in the same order as
listed in the openid.signed field. Consumer SHALL
recreate the token_contents string prior to
checking the signature. See <a class="info" href="#limits">Appendix D<span> (</span><span class="info">Limits</span><span>)</span></a>.
</p>
</blockquote>
</li>
<li>
openid.invalidate_handle
<blockquote class="text">
<p>Value: Optional; The association handle sent in
the request if the Provider did not accept or
recognize it.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor21"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.2.3"></a><h3>4.2.3. Extra Notes</h3>
<p>
</p>
<ul class="text">
<li>This mode is commonly used for "AJAX"-style
setups. The more classic mode to check a Claimed
Identifier is <a class="info" href="#mode_checkid_setup">checkid_setup<span> (</span><span class="info">checkid_setup</span><span>)</span></a>.
</li>
<li>An Identity Provider SHOULD only assert URLs that it
manages/produces directly. If a End User wants to assert
other URLs outside of that Identity Provider's realm,
they MUST use <a class="info" href="#delegating_authentication">delegation<span> (</span><span class="info">Delegating Authentication</span><span>)</span></a>.
</li>
<li>The openid.return_to URL provided MAY contain an
existing query string, and the Provider MUST preserve it
when appending the response parameters. OpenID Consumer's
SHOULD add a self-signed nonce with
Consumer-local timestamp in the openid.return_to URL
parameters to prevent replay attacks. Details of that
are left up to the Consumer.
<br>
<br>
However, because the openid.return_to URL is signed by
the Idenity Provide, a Consumer can make sure outside
parties haven't sent id_res responses with mismatching
openid.return_to URLs and signatures.
</li>
<li>If the Identity Provider didn't accept/recognize the
provided assoc_handle for whatever reason, it'll choose
its own to use, and copy the one provided back into
openid.invalidate_handle, to tell the Consumer to stop
using it. The Consumer SHOULD then send it along in a
<a class="info" href="#mode_check_authentication">check_authentication<span> (</span><span class="info">check_authentication</span><span>)</span></a>
request to verify it actually is no longer valid.
</li>
<li>If the Identifier assertion fails, the Identity
Provider provides the openid.user_setup_url for where
the End User can do whatever's necessary to fulfill the
assertion, be it login, setup permissions, etc. The
server SHOULD return a URL which doesn't imply anything
about what's needed, so the Consumer is left in the dark
about why the assertion failed.
<br>
<br>
The Identity Provider handling SHOULD eventually return
the End User to the openid.return_to URL, acting like a
checkid_setup response, with either a "id_res" or "cancel"
mode.
</li>
<li>The openid.return_to URL MUST descend from the
openid.trust_root, or the Identity Provider SHOULD
return an error. Namely, the URL scheme and port MUST
match. The path, if present, MUST be equal to or below
the value of openid.trust_root, and the domains on both
MUST match, or, the openid.trust_root value contain a
wildcard like http://*.example.com. The wildcard SHALL
only be at the beginning. It is RECOMMENDED Identity
Provider's protect their End Users from requests for
things like http://*.com/ or http://*.co.uk/.
</li>
<li>In the response, the Identity Provider's signature
MUST cover openid.identity and openid.return_to.
</li>
</ul><p>
</p>
<a name="mode_checkid_setup"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.3"></a><h3>4.3. checkid_setup</h3>
<p>
</p>
<ul class="text">
<li>Description: Ask an Identity Provider if a End User owns the
Claimed Identifier, but be willing to wait for the reply.
The Consumer will pass the User-Agent to the Identity
Provider for a short period of time which will return
either a "yes" or "cancel" answer.
</li>
<li>HTTP method: GET
</li>
<li>Flow: Consumer -> User-Agent -> [IdP -> User-Agent
->]+ Consumer
</li>
</ul><p>
</p>
<a name="anchor22"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.3.1"></a><h3>4.3.1. Request Parameters</h3>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "checkid_setup"
</p>
</blockquote>
</li>
<li>
openid.identity
<blockquote class="text">
<p>Value: Claimed Identifier
</p>
</blockquote>
</li>
<li>
openid.assoc_handle
<blockquote class="text">
<p>Value: The assoc_handle from the associate request.
</p>
<p>Note: Optional; Consumer MUST use
check_authentication if an association handle isn't
provided or the Identity Provider feels it is invalid.
</p>
</blockquote>
</li>
<li>
openid.return_to
<blockquote class="text">
<p>Value: URL where the Provider SHOULD return the
User-Agent back to.
</p>
</blockquote>
</li>
<li>
openid.trust_root
<blockquote class="text">
<p>Value: URL the Provider SHALL ask the End User to trust.
</p>
<p>Default: return_to URL
</p>
<p>Optional; the URL which the End User SHALL
actually see to approve.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor23"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.3.2"></a><h3>4.3.2. Respone Parameters</h3>
<p>Response format: query string arguments
</p>
<a name="anchor24"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.3.2.1"></a><h3>4.3.2.1. Always Sent</h3>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "id_res" or "cancel"
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor25"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.3.2.2"></a><h3>4.3.2.2. Sent on Positive Assertion</h3>
<p>
</p>
<ul class="text">
<li>
openid.identity
<blockquote class="text">
<p>Value: Verified Identifier
</p>
</blockquote>
</li>
<li>
openid.assoc_handle
<blockquote class="text">
<p>Value: Opaque association handle being used to
fine the HMAC key for the signature.
</p>
</blockquote>
</li>
<li>
openid.return_to
<blockquote class="text">
<p>Value: Verbatim copy of the return_to URL
parameter sent in the request, before the Provider
modified it.
</p>
</blockquote>
</li>
<li>
openid.signed
<blockquote class="text">
<p>Value: Comma-seperated list of signed fields.
</p>
<p>Note: Fields without the "openid." prefix that
the signature covers. For example,
"mode,identity,return_to".
</p>
</blockquote>
</li>
<li>
openid.sig
<blockquote class="text">
<p>Value: base64(HMAC(secret(assoc_handle), token_contents)
</p>
<p>Note: Where token_contents is a key-value
format string of all the signed keys and values in
this response. They MUST be in the same order as
listed in the openid.signed field. Consumer SHALL
recreate the token_contents string prior to
checking the signature. See <a class="info" href="#limits">Appendix D<span> (</span><span class="info">Limits</span><span>)</span></a>.
</p>
</blockquote>
</li>
<li>
openid.invalidate_handle
<blockquote class="text">
<p>Value: Optional; The association handle sent in
the request if the Provider did not accept or
recognize it.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor26"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.3.3"></a><h3>4.3.3. Extra Notes</h3>
<p>
</p>
<ul class="text">
<li>In the response, the Identity Provider's signature
MUST cover openid.identity and openid.return_to.
</li>
<li>In a lot of cases, the Consumer won't get a cancel mode; the
End User will just quit or press back within their
User-Agent. But if it is returned, the Consumer SHOULD
return to what it was doing. In the case of a cancel
mode, the rest of the response parameters will be
absent.
</li>
</ul><p>
</p>
<a name="mode_check_authentication"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.4"></a><h3>4.4. check_authentication</h3>
<p>
</p>
<ul class="text">
<li>Description: Ask an Identity Provider if a message is
valid. For dumb, stateless Consumers or when verifying an
invalidate_handle response.
<br>
<br>
<span class="strong">WARNING: Only validates signatures
with stateless association handles. Identity Providers
MUST NOT ever validate a signature for an association
handle whose secret has been shared with anybody. They
MUST differentiate its stateless vs. associated
association handles, and only offer check_authentication
service on the stateless handles.</span>
</li>
<li>HTTP method: POST
</li>
<li>Flow: Consumer -> IdP -> Consumer
</li>
</ul><p>
</p>
<a name="anchor27"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.4.1"></a><h3>4.4.1. Request Parameters</h3>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "check_authentication"
</p>
</blockquote>
</li>
<li>
openid.assoc_handle
<blockquote class="text">
<p>Value: The association handle from checkid_setup
or checkid_immediate response.
</p>
</blockquote>
</li>
<li>
openid.sig
<blockquote class="text">
<p>Value: The signature from the checkid_setup or
checkid_immediate request the Consumer wishes to
verify.
</p>
</blockquote>
</li>
<li>
openid.signed
<blockquote class="text">
<p>Value: The list of signed fields from the checkid_setup
or checkid_immediate request the Consumer wishes to
verify the signature of.
</p>
</blockquote>
</li>
<li>
openid.*
<blockquote class="text">
<p>Value: The Consumer MUST send all the openid.* response
parameters from the openid.signed list which they'd
previously gotten back from a checkid_setup or
checkid_immediate request, with their values being
exactly what were returned from the Provider.
</p>
</blockquote>
</li>
<li>
openid.invalidate_handle
<blockquote class="text">
<p>Value: Optional; association handle returned via
invalidate_handle.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor28"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.4.2"></a><h3>4.4.2. Response Parameters</h3>
<p>Response format: Key-Value Pairs
</p>
<p>
</p>
<ul class="text">
<li>
openid.mode
<blockquote class="text">
<p>Value: "id_res"
</p>
</blockquote>
</li>
<li>
is_valid
<blockquote class="text">
<p>Value: "true" or "false"
</p>
<p>Description: Boolean; whether the signature is
valid.
</p>
</blockquote>
</li>
<li>
invalidate_handle
<blockquote class="text">
<p>Value: opaque association handle
</p>
<p>Description: If present, the Consumer SHOULD
uncache the returned association handle.
</p>
</blockquote>
</li>
</ul><p>
</p>
<a name="anchor29"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.4.4.3"></a><h3>4.4.3. Extra Notes</h3>
<p>
</p>
<ul class="text">
<li>Identity Providers MUST implement this mode for error
recovery and dumb Consumers, which can't keep state
locally, but it's RECOMMENDED that it is used as little
as possible, as it shouldn't be necessary most the
time. It's good for debugging, though, as you develop
your Consumer library.
</li>
<li>If you got an invalidate_handle response during a
checkid_setup or checkid_immediate request, that means
the Identity Provider didn't recognize the association
handle, maybe it lost it, and had to pick its own.
<br>
<br>
This means the Consumer will have to fallback to dumb
mode, since you don't have the shared secret which the
Identity Provider is using. While doing this
check_authentication request, also send along the
invalidate_handle response from the Identity Provider
and it'll be checked to see if it actually is
missing/bogus.
</li>
<li>When verifying the signature using openid.* query
values, the openid.mode value must be changed to
"id_res".
</li>
</ul><p>
</p>
<a name="anchor30"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.5"></a><h3>5. Security Considerations</h3>
<p>
</p>
<ul class="text">
<li>While the OpenID Authentication protocol often refers to
using HTTP, HTTPS can be used for additional security. It is
RECOMMENDED it is used during the <a class="info" href="#mode_associate">associate mode<span> (</span><span class="info">associate</span><span>)</span></a> and helps to
protect against man in the middle, DNS, and some phishing
attacks.
</li>
<li>Consumers SHOULD NOT use IFrames or popup's when requesting
an End User login via OpenID.
</li>
</ul><p>
</p>
<a name="defaults"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.A"></a><h3>Appendix A. Default Values</h3>
<a name="pvalue"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.A.1"></a><h3>Appendix A.1. Diffie-Hellman P Value</h3>
<p>
1551728981814736974712322577637155\
3991572480196691540447970779531405\
7629378541917580651227423698188993\
7278161526466314385615958256881888\
8995127215884267541995034125870655\
6549803580104870537681476726513255\
7470407658574792912915723345106432\
4509471500722962109419434978392598\
4760375594985848253359305585439638443
</p>
<a name="anchor31"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.B"></a><h3>Appendix B. Error Responses</h3>
<p>This section pertains to protocol/run-time errors, not
authentication errors. Authentication errors are defined in
the protocol.
</p>
<p>
</p>
<ul class="text">
<li>No error codes have been defined; just unstructured natural
language error text.
</li>
<li>If it's a GET request with bad arguments, but a valid
openid.return_to URL, the Identity Provider SHALL redirect
the User-Agent with openid.mode=error and
openid.error=Error+Text set.
</li>
<li>If it's a GET request with bad arguments, and no valid
openid.return_to URL, the Identity Provider SHALL return a
"400 Bad Request" with any content-type and error message it
wants.
</li>
<li>If it's a GET request with no arguments, the Identity
Provider SHALL show a 200 text/html error saying "This is an
OpenID server endpoint. For more information, see
http://openid.net/".
</li>
<li>If it's a POST request with bad/no arguments, the
Identity Provider SHALL return a 400 Bad Eequest with the
Key-Value response format containing a single key "error"
with the natural language text. The Identity Provider can
add any additonal keys it wishes in this case.
</li>
</ul><p>
</p>
<a name="anchor32"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.C"></a><h3>Appendix C. Key-Value Format</h3>
<p>Lines of:
</p>
<p>
</p>
<ul class="text">
<li>some_key:some value
</li>
<li>There MUST NOT be a space before or after the colon.
</li>
<li>Newline characters MUST be Unix-style, just ASCII character 10
("\n").
</li>
<li>Newlines MUST BE at end of each line as well as between lines.
</li>
<li>MIME type is unspecified, but text/plain is
RECOMMENDED.
</li>
<li>Character encoding MUST BE UTF-8.
</li>
</ul><p>
</p>
<a name="limits"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.D"></a><h3>Appendix D. Limits</h3>
<p>
</p>
<ul class="text">
<li>Identifier URL: 255 max bytes
</li>
<li>Identity Provider URL: 2047 max bytes, after Consumer-added
URL arguments. The raw endpoint URL SHOULD be kept well
below this.
</li>
<li>return_to URL: 2047 max bytes, after Identity Provider
added URL arguments. The raw return_to URL SHOULD be kept
well below this.
</li>
<li>assoc_handle: 255 characters or less, and consist only of
ASCII characters in the range 33-126 inclusive (ie printable
non-whitespace characters).
</li>
</ul><p>
</p>
<a name="anchor33"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<a name="rfc.section.E"></a><h3>Appendix E. Misc</h3>
<p>
</p>
<ul class="text">
<li>Timestamps must be in w3c format, and must be in the UTC
timezone, indicated with a "Z". For example:
2005-05-15T17:11:51Z
</li>
</ul><p>
</p>
<a name="rfc.references1"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<h3>6. Normative References</h3>
<table border="0" width="99%">
<tbody><tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text">Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels.”</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2396">[RFC2396]</a></td>
<td class="author-text">Berners-Lee, T., “Uniform Resource Identifiers (URI): Generic Syntax.”</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2631">[RFC2631]</a></td>
<td class="author-text">Rescorla, E., “Diffie-Hellman Key Agreement Method.”</td></tr>
</tbody></table>
<a name="rfc.authors"></a><br><hr>
<table summary="layout" class="bug" align="right" cellpadding="0" cellspacing="2"><tbody><tr><td class="bug"><a href="#toc" class="link2"> TOC </a></td></tr></tbody></table>
<h3>Authors' Addresses</h3>
<table border="0" cellpadding="0" cellspacing="0" width="99%">
<tbody><tr><td class="author-text"> </td>
<td class="author-text">David
Recordon</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:drecordon@verisign.com">drecordon@verisign.com</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Brad
Fitzpatrick</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:brad@danga.com">brad@danga.com</a></td></tr>
</tbody></table>
</body></html>
|
