'[OpenID] [Fwd: Re: Automatic OP-driven identifier selection leads'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openid-general
Subject:    [OpenID] [Fwd: Re: Automatic OP-driven identifier selection leads
From:       ChO₂ <chemistrydioxide () quantentunnel ! de>
Date:       2011-10-06 14:13:47
Message-ID: 1317910427.11016.38.camel () localhorst
[Download RAW message or body]

This mail was supposed to go the list, my fault.

-------- Weitergeleitete Nachricht --------
Von: ChO₂ <chemistrydioxide@quantentunnel.de>
An: John Bradley <ve7jtb@ve7jtb.com>
Betreff: Re: [OpenID] Automatic OP-driven identifier selection leads to
"wrong" OpenID URL
Datum: Thu, 06 Oct 2011 16:12:18 +0200

THe OP is Yahoo and the RP is under my control.

I'm in charge of a web site that uses username/password authentication,
and I want to let my users log in with their email address and OpenID. I
want to avoid asking each of my users for their OpenID URL, as they
probably wouldn't understand it. Fortunately, I have all of their email
addresses on file, so I thought it might be a good idea to let them
authenticate using EAUT and OpenID. Unfortunately, most email providers
(even those that offer OpenID) do not support EAUT, so I was thinking
about writing an email-to-OpenID mapping table of my own. The problem is
that these efforts get wrecked when Yahoo decides to return an
identifier that doesn't map to the user's email address.

I am well aware that giving a user the option to log in to the same site
with several identifiers may cause issues when one user is taken for
several distinct persons. However, such behavior may sometimes be
desired by the user and in my case it is neccessary.

Regards, ChO2

-------- Weitergeleitete Nachricht --------
Von: John Bradley <ve7jtb@ve7jtb.com>
An: ChO₂ <chemistrydioxide@quantentunnel.de>
Kopie: general@openid.net
Betreff: Re: [OpenID] Automatic OP-driven identifier selection leads to
"wrong" OpenID URL
Datum: Wed, 5 Oct 2011 21:21:42 -0300
Mailer: Apple Mail (2.1244.3)

How the OP allows you to choose or remember what identifier you used at a particular \
RP is up to the IdP.

The RP could use the regular non identifier select flow to the IdP,  however many IdP \
like Yahoo just treat all requests as identifier select.

In openID 1.1 the RP couldn't pick the identifier, they could only use the URL that \
user entered (after normalization).

The difference between openID 1 and openID 2 is that the OP returns the identifier \
and it could be anything.

The issues are slightly different for OP like Google who use automatically generated \
pairwise identifiers for each RP to protect privacy and prevent correlation.

In the pairwise identifier case, if you hang the RP realm each time you would never \
be able to log back in, so that is probably a bad idea.

I would have to know the OP to explain what they are actually doing.  It may not be \
quite what you are imagining.

Regards
John B.
On 2011-10-05, at 8:31 PM, ChO₂ wrote:

> Dear List,
> 
> I have a question about OP-driven identifier selection. When I
> authenticate with a RP using OpenID, my OP lets me choose between
> several identifiers. Next time I log in to the same site, my OP will
> automatically use the same identifier again and I am not given the
> option to change this behavior. While this is very useful in most cases,
> it may cause problems:
> 
> 1) I cannot identify to the same RP with several different identities
> that belong to the same OP account.
> 2) If a RP moves to a different URL and I choose the wrong identifier on
> my next login, I'll be locked out from my RP account forever.
> 3) I cannot tell my OP to use a different identifier for a particular
> RP, e.g. in order to confirm my email address.
> 4) When two RPs decide to merge, I will loose access to either account
> and I can't merge the two accounts.
> 5) The OP may authenticate the user as the wrong identity even when the
> user has entered a different but complete OpenID identifier.
> 
> Does someone have an idea how these issues are supposed to be addressed?
> 
> A possible workaround would be to modify the RP so that it pretends to
> be a different RP on each log in (or when the user requests it to do
> so). This would prevent the OP from automatically authenticating the
> user with the "wrong" identifier.
> 
> I would also be interested to learn whether there's a way for RPs to
> disable OP-driven identifer selection in OpenID v2.0 (i.e. the
> identifier will be chosen by the RP, as in OpenID v1).
> 
> Regards, ChO2
> 
> 
> _______________________________________________
> general mailing list
> general@lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

_______________________________________________
general mailing list
general@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[prev in list] [next in list] [prev in thread] [next in thread] 