[OpenID] About Facebook, MySpace and OpenID

Peter Williams pwilliams at rapattoni.com
Sun Apr 5 17:04:58 UTC 2009


The context is one of an OP minting an openid assertion, which creates an RP session based on asking for n attributes. But, if I as RP ask for another assertion 59 minutes later, I don’t expect as an RP to be asking for more or less attributes at that point (just because some or other set was or was not requested/delivered last time). I just ask for another assertion, and indicate that I need the OP to (still) represent the n attributes as (then) accurate, etc.

Given Google may have suspended the user account in the last 59 minute, I want to know that fact before I grant the (former google) user access to stored RP-stored credit card information (for example). As a relying party, I am RELYING ON google (for example) legally. If they are not doing something at the level  of (pape) assurance or completeness that I need to rely, what's the point of working with them - beyond merely using their friendly assertion to auto-populate an account signup form?

The biggest point is that I cannot build openid software that knows how users cooperate with Google's particular consent/release/UI/persistence assumptions. As OP, they either given me the RP an positive assertion back with all required attribute or they don’t. If they don’t, the RP switches to the next selected RP service in the user's XRDS... per the protocol. If none support the required attribute set representing they have the required level of assurance, the RP will request the user supply the attribute values directly - by typing then in the form, as usual. The RP will then rely (directly) on the user, vs the OP.

(All about Google. Somehow we wandered away from the topic of "Facebook, MySpace...").

> -----Original Message-----
> From: Deron Meranda [mailto:deron.meranda at gmail.com]
> Sent: Sunday, April 05, 2009 9:27 AM
> To: Peter Williams
> Cc: John Bradley; Breno de Medeiros; general
> Subject: Re: [OpenID] About Facebook, MySpace and OpenID
>
> On Sun, Apr 5, 2009 at 10:59 AM, Peter Williams
> <pwilliams at rapattoni.com> wrote:
> > Out of interest, what happens the second time (on the same OP
> session)?
> >
> > In the SAML websso protocol,...requires a recent act of user
> (re)authentication
> > (using an RSA securid time-synced tokencode, typically) and
> reconfirmation
> > that the member has an attribute indicating s/he is (still) in good
> standing
> > with the IDP’s membership policies. ...
> >
> > Our OP/RP openid implementation happens to be a multi-stage gateway –
> SAML
> > and openid auth protocol engines operating in a pretty common co-
> resident
> > fashion ... If the SAML RP makes a followup request 5m later, with
> > ispassive=true (no UI allowed), the same set of attributes will be
> required.
> > There is no context for the second protocol run, given the first –
> that
> > enable it to ask for more or less attributes the second time.
>
> I don't know a lot about SAML, but it sounds like none of this is
> really
> dependent upon Google's AX behavior.  Perhaps there could be some
> relevance with PAPE, but even then I'm not sure.
>
> What kind of AX attributes were you envisioning that you'd want to
> check every 5 minutes?  And I'm not sure what kind of "context",
> or lack of one that you are discussing.
> --
> Deron Meranda


More information about the general mailing list