Suppose I'm trying to implement OpenId for relying in my n-tier web site which uses web services. Please tell me if some steps seem strange.
1) I want the user to enter their OpenId url in a textbox. ex: http://vidalsasoon.myopenid.com
2) The user then clicks submit where the entered Url is sent to my web service using the OpenId api. With the OpenId API on the server, I can build a proper OpenId request.
3) User receives the Url where he should get authenticated.
4) User gets redirected to their provider, Logs in, get redirected back to my web site.
CONFUSION HERE: Now steps 2 - 4 happen between the user and the provider. My web service is not involved during these steps.
I would like the user to then send their desired username and OpenId back to the web service at this point. The problem is how can I know that the user/client hasn't tampered with with them?