[Openid-specs-ab] Expected Identity

Blaine Cook romeda at gmail.com
Mon May 14 23:39:33 UTC 2012

On May 14, 2012 11:02 PM, "Justin Richer" <jricher at mitre.org> wrote:
> Blaine, your timing is spot on -- I was actually just discussing this
very use case here this afternoon in the context of one of our projects. I
think there's a definite need for indicating what the starting identity was
in the transaction, even if for sanity checking cases. But more to the
point, you don't want to cause all RPs to force a prompt for all users just
in case they might run into the problem below. Ultimately, I see it as
another bit of information, a hint, that the RP can send to help the IdP do
its job.

So, it's definitely true that the RP needs to check that an IdP has
authority to act as an IdP for any given identifier. That part will never
go away; thankfully, it's fairly straightforward to do this in most cases
(e.g., gmail.com is allowed to act as an IdP for gmail.com addresses).

However, the feature is (I think) more critical than just sanity checking -
I explicitly ignore auth attempts from IdPs that allow a user other than
the one I expect to authenticate. This is a major hassle on the client side
to implement, and in some cases leads to impossible-to-resolve (reasonably)
situations (e.g., Bob can't sign in because Alice is already signed in).

> After thinking through it a bit, I think that the Request Object might be
the best place to put something like that into. It makes it possible for
RPs that care about it to do the legwork, but it doesn't further pollute
the OAuth Auth Endpoint namespace for the simple cases that might not care.

>From the RP's perspective, this should be required-to-implement by the
server. Put another way, I won't integrate with servers that don't
implement it, since it makes my life as an rp *much* harder, and my users'
experiences much worse without.

Ideally, it'd also be possible to implement this without library support.
Having it be a standard (optional for the rp) parameter at the auth
endpoint would mean it'd be easy to bake in to swd/webfinger, or in the
absence of either of those, simply by appending the parameter to the auth

I'm writing this offline on my phone, and haven't looked at the most recent
connect spec(s), so maybe these thoughts are totally redundant, but
hopefully they provide some useful context from the perspective of a tiny
rp. :-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120515/e87f482a/attachment.html>

More information about the Openid-specs-ab mailing list