On 8/24/06, Timwi timwi@gmx.net wrote:
I was trying to address the security issues that come from the user's ability to cause the server to perform any GET request to any server. But now that I think about it more, I haven't actually solved that issue at all: the necessity to retrieve the "token file" would still grant the user that ability... so scratch it all :)
How is this solved in Open-ID implementations?