4.2.8. Response Verification

Each message with a response is digitally signed and must be verified. The following parts of the message are verified:

  • return URL – The value openid.return_to must correspond with the URL to which the query was delivered. All the parameters of this URL must be included in the HTTP message your application received.

  • claimed identifier – Metadata associated with the claimed identifier obtained during the initiation or by repeating a part of this process must match the data included in this message – claimed identifier, internal identifier, OP endpoint and protocol version.

  • response nonce – A message with the same nonce from this OpenID provider was not yet received.

  • signature – All the fields that must be signed are signed and the signature is valid. The signature can be either verified by the application itself within the status communication, or the OpenID provider requests the verification of the signature.

If all these conditions are fulfilled, then the message is valid and it was verified that the claimed identifier belongs to the user. However, all the parts should be processed by the library that implements the protocol.