[Openid-specs-risc] Should we handle indirect relationships?

George Fletcher gffletch at aol.com
Tue Nov 22 21:30:56 UTC 2016


So I would answer that question as...

The user who owns the *@gmail.com account does have an account at AOL 
but they do so via Facebook. AOL would have the standard OAuth2 direct 
relationship with Facebook based on the Facebook user id (I'm assuming 
that's how that relationship would be established).

In the consumer case, it's possible to just rely on the direct 
relationships and trust that any implicit ones will propagate through 
the direct one in a timely manner.

So back to my example. If something happens at Google to *@gmail.com, 
then Facebook would get notified and if that triggers something at 
Facebook, AOL would get notified via the Facebook path. I do think it 
helps in this use case that Facebook is effectively acting as an IdP for 
the user (Facebook does an authentication).

The Enterprise example is a little more complicated because in that case 
there is only one entity that is authenticating the user because Google 
is delegating authentication to the enterprise IdP. Take an example 
where ACME Corp uses Google Apps but does it's own authentication, and 
an ACME Corp employee uses Google to log into Slack. Slack as an RP has 
a direct relationship with Google. Google has a direct relationship with 
ACME IdP. Should we again rely on propagation of events through the 
direct relationship paths?

Thanks,
George

On 11/22/16 4:15 PM, Hardt, Dick wrote:
> George: does the *@gmail.com user have an account at AOL? Let’s assume that is the use case you are talking about. It is not clear how Facebook and AOL are going to learn they share a user. In the F2F we talked about direct relationships would proxy in same way for indirect relationships. Ie. AOL would share data with Google, and Facebook would share data with Google. If there is an event at Facebook that is shared with Google, then that may create an event at Google that would be shared with Facebook.
>
> /Dick
>
> On 11/22/16, 9:50 AM, someone claiming to be "Openid-specs-risc on behalf of George Fletcher" <openid-specs-risc-bounces at lists.openid.net on behalf of gffletch at aol.com> wrote:
>
>      Hi,
>      
>      Given that at AOL we are a relying party to Google, Facebook, Yahoo,
>      Twitter, LinkedIn, etc. ... when a user logs in via Facebook with an
>      email address of *@gmail.com, should AOL subscribe at both Facebook and
>      Google? or just Facebook?
>      
>      This is similar to the enterprise case we talked about in the F2F. In
>      that case it was someone logging in via Google with an identity that is
>      not authenticated by Google but rather by the owning enterprise domain.
>      
>      Thoughts?
>      
>      Thanks,
>      George
>      _______________________________________________
>      Openid-specs-risc mailing list
>      Openid-specs-risc at lists.openid.net
>      http://lists.openid.net/mailman/listinfo/openid-specs-risc
>      
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20161122/80d4f90f/attachment.html>


More information about the Openid-specs-risc mailing list