Crowd's OpenID approvals are based around the return_to URL. An OpenID 2 request may present a more general realm as well (Realms). If present, the user should be asked to approve the realm for this and future requests.
If a whitelist is present (CWD-3045) it should be treated as a list of realms. Any realm must either be directly present on the whitelist (if it's a pattern) or match something on the whitelist if it's a concrete return_to URL.
- has a derivative of
-
CWD-3069 Warn about overly general Realms in OpenID requests
- Gathering Interest
- relates to
-
- Closed
-
- Closed
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Wiki Page
Failed to load
[CWD-3060] Use OpenID Realm for approval requests
To simplify this, make a precise check for the realm on the whitelist. Then, an RP that specifies a consistent realm can be whitelisted with a single line. A site that only specifies a return_to URL and no realm will need to be approved each time, which matches the current experience.
Realms should be checked against something like the Public Suffix List to prevent overly general realms (e.g., http://*.com/).