I am trying to make a user log in with their steam account via OpenId. I am able to make the request to the Steam OpenId and log in that user.
My concern is that i currently dont have any way to confirm that the OpenId provider actually is valid. If i cant verify the provider, a hacker could make an succesful response to my website in order to log in. I thought there might be a way to confirm the url of the provider, but i have no idea hot to do this.
So how do i make sure the provider is Steam and not some 3rd party?
(i am using the passport-openid library)
You extract the user's OpenID provider from the page they give you at the OpenID URL login form. That's the only place you'll get to know which OpenID provider the user wishes to use.
Unless the URL is an HTTPS one you cannot be sure that there wasn't a Man-in-the-middle-attack that gave a different OpenID provider to your application.