Home/ Questions/Q 8880211
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T20:07:26+00:00

I’m working on an OpenId Provider for an SSO setup – it’s basically a

  • 0

I’m working on an OpenId Provider for an SSO setup – it’s basically a web application portal that shares credentials with any of the “applications” the user has access to. I have the Provider set up and everything is working fine, but I have a question about security.

I want to do some permissions checking on the Provider before it sends a positive assertion to the RP; namely that the user actually has permissions to the application which is making the request.

Here’s the Provider code I’ve got at the moment (just a snippet, can add more if necessary):

private bool AutoRespondIfPossible(out ActionResult response)
    {
        if (ProviderEndpoint.PendingRequest.IsReturnUrlDiscoverable(OpenIdProvider.Channel.WebRequestHandler) == RelyingPartyDiscoveryResult.Success
            && User.Identity.IsAuthenticated && this.RealmIsValid(ProviderEndpoint.PendingAuthenticationRequest.Realm)) {
                if (ProviderEndpoint.PendingAuthenticationRequest != null) {
                    if (ProviderEndpoint.PendingAuthenticationRequest.IsDirectedIdentity
                        || this.UserControlsIdentifier(ProviderEndpoint.PendingAuthenticationRequest)) {
                            ProviderEndpoint.PendingAuthenticationRequest.IsAuthenticated = true;
                            response = this.SendAssertion();
                            return true;
                    }
                }

                //we don't want anon requests
                if (ProviderEndpoint.PendingAnonymousRequest != null) {
                    ProviderEndpoint.PendingAnonymousRequest.IsApproved = false;
                    response = this.SendAssertion();
                    return true;
                }
        }

        response = null;
        return false;
    }

Basically what I’m doing is validating that the realm of the request (in the RealmIsValid method) matches to a hostname in my list of acceptable hostnames, and then I’m comparing the user permissions based on the hostname.

What I’m wondering is: How accurate is ProviderEndpoint.PendingAuthenticationRequest.Realm? If I understand correctly, the realm is set by the relying party – is it possible that the endpoint could receive a request from a URI other than the realm specified in that request? Or am I safe to assume that the realm will always be accurate (that is: match the URI of the relying party)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, the OpenID realm is reliable, due to two steps OpenID 2.0 and DotNetOpenAuth takes:

    1. The OpenID return_to URL must be a derivative of the realm URL. So while anyone can formulate an OpenID request as if it came from any relying party, the alleged relying party will always be the one to actually receive the response, so an attacker operating another RP will not get the response.
    2. Some “open redirector” attacks might allow the attacker to use a return_to URI that is based on a legitimate Realm URL, but happens to be a URL that will redirect to the attacker’s web site, thus delivering the assertion to the attacker. This is mitigated by “RP Discovery” which your code snippet includes with its call to the IsReturnUrlDiscoverable method. The RP should explicitly list the allowed return_to URLs in its RP Discovery XRDS document, so that open redirector endpoints are not allowed.

    That all said, OpenID is mostly about identifying the user — not authorizing them to specific RPs. So while what you’re doing may be fine, it’s a bit off the beaten track for OpenID use, so please consider the security implications carefully (as it sounds like you’re doing now).

    • 0