This is just a matter of verifying that the URL in
AudienceRestrictionCondition matches the URL of the website.
Although this is simple, it is important because it can help
the site protect itself against reply attacks. The attack would
work by one site requesting a token from a user, and then trying
to impersonate that user by replying the token to a different site.
However, because the token speci?¬?es the URL of the site the
token was meant for, the second site would be able to reject the
token.
Retrieval of Claim Values
After the token has been veri?¬?ed, the claim values can be retrieved.
The ?¬?rst step is to verify that all required claims have
been provided. The next step is to use the claims to perform
whatever task is at hand. In many cases, this will be logging on
the user and might involve looking up some sort of user identi-
?¬?er. In other cases, it could be retrieving an age or some other
value required to make a decision about the subject. It is good
to keep in mind that even though the values are packaged in a
token, they are still user-provided values, particularly in the case
of a Personal Card, and as such it should be treated as any other
user input.
Pages:
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367