can the response from Google/Yahoo! be changed in openID process?

is it possible to hack the h开发者_如何学Ceader returns from Google/Yahoo! authentication openid request? i mean someone someone uses him@gmail.com to get authenticated with Google and then changes him@gmail.com to me@gmail.com in response from Google and get logged in to site with my account?

Yes, the authentication payload from the Provider to the Relying Party goes through the user's browser, giving the user the opportunity to inspect and even change what gets forwarded to the relying party web site.

However the payload is signed, so any changes to the signed portion of the message will result in the relying party detecting tampering has taken place and should reject the message.

So in effect, no, you can't hijack someone else's account using this method because of the signature verification process that is a built-in part of OpenID.

No. If it were possible, that'd defeat the point.

The site you're authenticating with talks directly with the authentication provider, and the authentication provider talks with the user. The user can't change what goes to the site, because the auth provider doesn't go through the user to get to the site.