node.js - Verify if OpenId provider is valid -
i trying make user log in steam account via openid. able make request steam openid , log in user.
my concern dont have way confirm openid provider valid. if cant verify provider, hacker make succesful response website in order log in. thought there might way confirm url of provider, have no idea hot this.
so how make sure provider steam , not 3rd party?
(i using passport-openid library)
you extract user's openid provider page give @ openid url login form. that's place you'll know openid provider user wishes use.
unless url https 1 cannot sure there wasn't man-in-the-middle-attack gave different openid provider application.
Comments
Post a Comment