No subject


Sun Aug 19 20:53:57 UTC 2007


destination site, it acts as a user agent.  So, in the case, it will be
initiating a logon at the destination site.  The destination site follows
the normal OpenID protocol to get an assertion from the OpenID Provider.
The two sites can then trade cookies, or keep track of query strings, or
whatever they want to manage their session.


 On 8/31/07, John Ehn <john at extremeswank.com> wrote:
>
> Well, I've slept on it.  I think we have a difference in philosophy.
>
> The other Extesions - AX, Simple Registration, etc. - follow the same data
> flow methodology:
>
> RP -> UA -> OP
> RP <- UA <- OP
>
> I believe I'm sticking to the same principles in my spec.  We are doing
> the very same thing when we collect the authentication key (see above).  We
> are even doing the very same thing when we have the sites authenticate with
> each other.  It's just we have a non-human operating the User Agent.  In
> this case, the RP is the "destination" site, the UA is the "client" site:
>
> RP -> UA -> OP
> RP <- UA <- OP
>
> I think this fits well with what people expect.  I also have no problem
> with having OPs incrementally improve their systems to make them compatible
> with new extensions.  Since there will (eventually) be far more RPs out
> there than OPs, I think it's reasonable for them to support the bulk of the
> extension implementation.
>
> In this case, however, there really isn't all that much to implement.  The
> following code changes will need to happen at the site that wants access to
> information at another site (the CC):
>
> * The form where the user submits their OpenID to grant permission to
> another site
> * Logic that builds a simple OpenID login request with the Trusted
> Authentication data included, and a redirect to the OP
> * A branch to the "id_res" checker that parses the OP response and stores
> the shared secret
> * An automated script that performs OpenID authentication to the DC and
> retreives data
>
> The OP needs to implement the following:
>
> * When receiving a check_id request with Trusted Authentication arguments,
> send an X-OPENID-TrustedAuthentication HTTP header in the response, and be
> able to accept a SHA-256 hash as a response  - This is not a big deal, and
> isn't any form of deviation, because this is the "gray area" in the spec
> where the UA is supposed to be verified that it's already logged in, or is
> prompted for credentials
> * Add a logic branch that generates a shared secret when requested, stores
> it, and sends it in the authentication response
> * Some form of user interface to manage the stored secrets - very easy
>
> All but one of these steps would be needed to implement ANY OpenID
> extension out there.  And the only change that is "out of spec" is accepting
> an SHA-256 hash as an authentication key - which is trivial to implement at
> an OP.
>
> Conservatively, (with distractions) I think an OP can implement the data
> passing in less than a couple of hours, and the user interface in a couple
> of days.
>
> Although your implementation is sound, and I like a lot of the ideas, they
> shift a lot of the responsibility to the party receiving the authentication
> request.  I'm not sure I like the idea of having the burden of implementing
> both an API and a special pseudo-OP.  This also removes the power of having
> a single Identity management interface at the OP, meaning the user will have
> to log on to the destination site to invalidate the token.  What if the user
> has 50 of these API connections set up?  That's 50 sites to visit in order
> to manage these tokens.
>
> Like I said, nothing technically wrong with the idea (it's novel), but it
> just doesn't fit with me.
>
> Thank you!
>
> John Ehn
>
> On 8/30/07, James Henstridge <james at jamesh.id.au > wrote:
> >
> > On 30/08/2007, John Ehn < john at extremeswank.com> wrote:
> > > James,
> > >
> > > Sorry, but I'm having problems following the flow.  It seems like an
> > > interesting idea, though.  Can you provide with a little more
> > information on
> > > how these components would interact?
> >
> > Okay.  The basic idea was that instead of creating a special protocol
> > for two OpenID relying parties to communicate with each other was for
> > the web services data provider to act as an OpenID provider.
> >
> > So, lets assume that the data consumer wants an auth token for the
> > user identified by http://user.identifier.url .  With normal OpenID
> > authentication, you'd perform discovery to find the user's OpenID
> > provider.  To request an auth token though we need to talk to the data
> > provider, so instead we skip discovery and perform an authentication
> > request to the data provider's endpoint.  The parameters might look
> > something like this:
> >
> > * openid.mode = checkid_setup
> > * openid.claimed_id = http://user.identifier.url
> > * openid.identity = http://user.identifier.url
> > * openid.return_to = http://data.consumer/. <http://data.consumer/>..
> > * openid.ns.auth = ...
> > * (additional parameters related to the auth token request)
> >
> > The data provider would then decide whether to grant the auth token
> > (possibly by performing OpenID authentication against
> > http://user.identifier.url, and/or asking the user), then send a
> > response back like:
> >
> > * openid.mode = id_res
> > * openid.claimed_id = http://user.identifier.url
> > * openid.identity = http://user.identifier.url
> > * openid.return_to = http://data.consumer/. <http://data.consumer/>..
> > * openid.ns.auth = ...
> > * openid.auth.token = ...
> > * openid.auth.secret = ...
> >
> > The data consumer knows that the request came from the data provider
> > due to the signature on the OpenID response.  The data provider knows
> > which user to create the token for because it was present in the
> > OpenID request.  The data provider can verify that the web browser
> > user is that user because control gets transferred to the data
> > provider during the authentication process.
> >
> > This all assumes that the data consumer has already authenticated the
> > user, so knows which identity URL to request a token for from the data
> > provider.
> >
> > > I was really trying to keep everything dumb and simple.  The concept I
> > was
> > > going for was "piggy-back on OpenID, but include a way to
> > programmatically
> > > log on to the OpenID Provider".  The problem I saw with OpenID was
> > that
> > > there are about a million different ways to authenticate with an
> > OpenID
> > > Provider, from HTML forms to digital certificates.  Most require the
> > User
> > > Agent to be a web browser.  However, there is no standard way to just
> > pass a
> > > credential that can prove that you are who you say you are.
> >
> > Well, OpenID authentication requests are designed to let the OP
> > perform whatever checking they want before sending a response.  So by
> > making the data provider act as an OP, it has the same freedom
> > (including the freedom to issue its own OpenID authentication request
> > to the user's actual OP).
> >
> > > I was trying to solve the problem by coming up with an automatable (if
> > > that's a word) way to authenticate with an OpenID Provider.  If we
> > have
> > > that, there's no need to pass around a special token, because we can
> > just
> > > use standard OpenID authentication if we want to log on to another
> > system.
> > > So, I proposed just having the Consumer get a key from the OpenID
> > Provider
> > > that it can use to automatically authenticate with the Provider in the
> >
> > > future.  The key is passed through the user when it's granted, because
> > you
> > > need the user to approve the whole thing anyway.
> >
> > I think that this makes things more complicated than need be.  If you
> > want an auth token from the data provider it seems better to ask the
> > data provider for the key directly, giving it the chance to
> > authenticate the user before responding.
> >
> > This also has the benefit that it does not require any special
> > features from the user's OP -- the extension is purely concerned with
> > the interaction between data consumer and provider.
> >
> >
> > > I don't expect this extension to fix all problems.  It's only intended
> > to
> > > solve a specific use case (website to website info sharing).  I am
> > working
> > > on two additional extensions which will solve the other problems I
> > see:
> >
> > Sure.  I doubt my suggested workflow would help with those use cases
> > either (at least without some additional components).
> >
> > James.
> >
>
>

------=_Part_2109_19302950.1188575934788
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<span class="gmail_quote"></span>
<div>I think I see where there might be confusion.&nbsp; When the initial request occurs, we&#39;re actually doing a re-authentication with the client site.&nbsp; So we&#39;re sending a check_id request with the return_to pointing to the client site.&nbsp; Because we have some extra arguments (including the URL of the destination site)&nbsp;in the request, the OP will know that the user should be prompted for permission to grant&nbsp;the limited-use secret to the client site. 
</div>
<div>&nbsp;</div>
<div>From that point foward, when the client site wants to contact the destination site, it acts as a user agent.&nbsp; So, in the case, it will be initiating a logon at the destination site.&nbsp; The destination site follows the normal OpenID protocol to get an assertion from the OpenID Provider.&nbsp; The two sites can then trade cookies, or keep track of query strings, or whatever they want to manage their session. 
<br><br>&nbsp;</div>
<div><span class="e" id="q_114bc73a44bd407e_1">
<div><span class="gmail_quote">On 8/31/07, <b class="gmail_sendername">John Ehn</b> &lt;<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:john at extremeswank.com" target="_blank">john at extremeswank.com</a>
&gt; wrote:</span> 
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>Well, I&#39;ve slept on it.&nbsp; I think we have a difference in philosophy.</div>
<div>&nbsp;</div>
<div>The other Extesions - AX, Simple Registration, etc.&nbsp;- follow the same data flow methodology:</div>
<div>&nbsp;</div>
<div>RP -&gt; UA -&gt; OP</div>
<div>RP &lt;- UA &lt;- OP</div>
<div>&nbsp;</div>
<div>I believe I&#39;m sticking to the same principles in my spec.&nbsp; We are doing the very same thing when we collect the authentication key (see above).&nbsp; We are even doing the very same thing when we have the sites authenticate with each other.&nbsp; It&#39;s just we have a non-human operating the User Agent.&nbsp; In this case, the RP is the &quot;destination&quot; site, the UA is the &quot;client&quot; site: 
</div>
<div>&nbsp;</div>
<div>RP -&gt;&nbsp;UA -&gt; OP</div>
<div>RP &lt;-&nbsp;UA &lt;- OP</div>
<div>&nbsp;</div>
<div>I think this fits well with what people expect.&nbsp; I also have no problem with having OPs incrementally improve their systems to make them compatible with new extensions.&nbsp; Since there will (eventually) be far more RPs out there than OPs, I think it&#39;s reasonable for them to support the bulk of the extension implementation. 
</div>
<div>&nbsp;</div>
<div>In this case, however, there really isn&#39;t all that much to implement.&nbsp; The following code changes will need to happen at the site that wants access to information at another site (the CC):</div>
<div>&nbsp;</div>
<div>* The form where the user submits their OpenID to grant permission to another site</div>
<div>* Logic that builds a simple&nbsp;OpenID login request with the Trusted Authentication data included, and a redirect to the OP</div>
<div>* A branch to the &quot;id_res&quot; checker that parses the OP response and stores the shared secret</div>
<div>* An automated script that performs OpenID authentication to the DC and retreives data</div>
<div>&nbsp;</div>
<div>The OP needs to implement the following:</div>
<div>&nbsp;</div>
<div>* When receiving a check_id request with Trusted Authentication arguments, send an X-OPENID-TrustedAuthentication HTTP header in the response, and be able to accept a SHA-256 hash as a response&nbsp; - This is not a big deal, and isn&#39;t any form of deviation, because this is the &quot;gray area&quot; in the spec where the UA is supposed to be verified that it&#39;s already logged in, or is prompted for credentials 
</div>
<div>* Add a logic branch that generates a shared secret when requested, stores it, and sends&nbsp;it&nbsp;in the&nbsp;authentication response</div>
<div>* Some form of user interface to manage the stored secrets - very easy</div>
<div>&nbsp;</div>
<div>All but one of these steps would be needed to implement ANY OpenID extension out there.&nbsp; And the only change that is &quot;out of spec&quot; is&nbsp;accepting an SHA-256 hash as an authentication key - which is&nbsp;trivial to implement at an OP. 
</div>
<div>&nbsp;</div>
<div>Conservatively, (with distractions) I think an OP can implement the data passing in less than a couple of hours, and the user interface in a couple of days.</div>
<div>&nbsp;</div>
<div>Although&nbsp;your implementation is sound,&nbsp;and I like a lot of the ideas, they shift a lot of the responsibility to the party receiving the authentication request.&nbsp; I&#39;m not sure I like the idea of having the burden of implementing both an API and a special pseudo-OP.&nbsp; This also removes the power of having a single Identity management interface at the OP, meaning the user will have to log on to the destination site to invalidate the token.&nbsp; What if the user has 50 of these API connections set up?&nbsp; That&#39;s 50 sites to visit in order to manage these tokens. 
</div>
<div>&nbsp;</div>
<div>Like I said, nothing&nbsp;technically wrong with the idea (it&#39;s novel), but it just doesn&#39;t fit with me.</div>
<div>&nbsp;</div>
<div>Thank you!</div><span>
<div>&nbsp;</div>
<div>John Ehn&nbsp;</div>
<div>&nbsp;</div></span>
<div><span><span class="gmail_quote">On 8/30/07, <b class="gmail_sendername">James Henstridge</b> &lt;<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:james at jamesh.id.au" target="_blank">james at jamesh.id.au 
</a>&gt; wrote:</span> </span>
<div><span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On 30/08/2007, John Ehn &lt;<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:john at extremeswank.com" target="_blank">
 john at extremeswank.com</a>&gt; wrote:<br>&gt; James,<br>&gt;<br>&gt; Sorry, but I&#39;m having problems following the flow.&nbsp;&nbsp;It seems like an<br>&gt; interesting idea, though.&nbsp;&nbsp;Can you provide with a little more information on 
<br>&gt; how these components would interact? <br><br>Okay.&nbsp;&nbsp;The basic idea was that instead of creating a special protocol<br>for two OpenID relying parties to communicate with each other was for<br>the web services data provider to act as an OpenID provider. 
<br><br>So, lets assume that the data consumer wants an auth token for the<br>user identified by <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://user.identifier.url/" target="_blank">http://user.identifier.url 
</a>.&nbsp;&nbsp;With normal OpenID<br>authentication, you&#39;d perform discovery to find the user&#39;s OpenID <br>provider.&nbsp;&nbsp;To request an auth token though we need to talk to the data<br>provider, so instead we skip discovery and perform an authentication 
<br>request to the data provider&#39;s endpoint.&nbsp;&nbsp;The parameters might look <br>something like this:<br><br>* openid.mode = checkid_setup<br>* openid.claimed_id = <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://user.identifier.url/" target="_blank">
http://user.identifier.url</a><br>* openid.identity = <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://user.identifier.url/" target="_blank">http://user.identifier.url </a><br>* openid.return_to = <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://data.consumer/" target="_blank">
http://data.consumer/.</a>..<br>* openid.ns.auth = ...<br>* (additional parameters related to the auth token request)<br><br>The data provider would then decide whether to grant the auth token <br>(possibly by performing OpenID authentication against 
<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://user.identifier.url/" target="_blank">http://user.identifier.url</a>, and/or asking the user), then send a<br>response back like:<br><br>* openid.mode
 = id_res<br>* openid.claimed_id = <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://user.identifier.url/" target="_blank">http://user.identifier.url</a><br>* openid.identity = <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://user.identifier.url/" target="_blank">
http://user.identifier.url</a><br>* openid.return_to = <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://data.consumer/" target="_blank">http://data.consumer/.</a>..<br>* openid.ns.auth = ...<br>* openid.auth.token
 = ...<br>* openid.auth.secret = ...<br><br>The data consumer knows that the request came from the data provider<br>due to the signature on the OpenID response.&nbsp;&nbsp;The data provider knows <br>which user to create the token for because it was present in the 
<br>OpenID request.&nbsp;&nbsp;The data provider can verify that the web browser<br>user is that user because control gets transferred to the data<br>provider during the authentication process. <br><br>This all assumes that the data consumer has already authenticated the 
<br>user, so knows which identity URL to request a token for from the data<br>provider.<br><br>&gt; I was really trying to keep everything dumb and simple.&nbsp;&nbsp;The concept I was <br>&gt; going for was &quot;piggy-back on OpenID, but include a way to programmatically 
<br>&gt; log on to the OpenID Provider&quot;.&nbsp;&nbsp;The problem I saw with OpenID was that<br>&gt; there are about a million different ways to authenticate with an OpenID <br>&gt; Provider, from HTML forms to digital certificates.&nbsp;&nbsp;Most require the User 
<br>&gt; Agent to be a web browser.&nbsp;&nbsp;However, there is no standard way to just pass a<br>&gt; credential that can prove that you are who you say you are. <br><br>Well, OpenID authentication requests are designed to let the OP 
<br>perform whatever checking they want before sending a response.&nbsp;&nbsp;So by<br>making the data provider act as an OP, it has the same freedom<br>(including the freedom to issue its own OpenID authentication request <br>to the user&#39;s actual OP). 
<br><br>&gt; I was trying to solve the problem by coming up with an automatable (if<br>&gt; that&#39;s a word) way to authenticate with an OpenID Provider.&nbsp;&nbsp;If we have<br>&gt; that, there&#39;s no need to pass around a special token, because we can just 
<br>&gt; use standard OpenID authentication if we want to log on to another system.<br>&gt; So, I proposed just having the Consumer get a key from the OpenID Provider<br>&gt; that it can use to automatically authenticate with the Provider in the 
<br>&gt; future.&nbsp;&nbsp;The key is passed through the user when it&#39;s granted, because you<br>&gt; need the user to approve the whole thing anyway.<br><br>I think that this makes things more complicated than need be.&nbsp;&nbsp;If you 
<br>want an auth token from the data provider it seems better to ask the<br>data provider for the key directly, giving it the chance to<br>authenticate the user before responding.<br><br>This also has the benefit that it does not require any special 
<br>features from the user&#39;s OP -- the extension is purely concerned with<br>the interaction between data consumer and provider.<br><br><br>&gt; I don&#39;t expect this extension to fix all problems.&nbsp;&nbsp;It&#39;s only intended to 
<br>&gt; solve a specific use case (website to website info sharing).&nbsp;&nbsp;I am working<br>&gt; on two additional extensions which will solve the other problems I see:<br><br>Sure.&nbsp;&nbsp;I doubt my suggested workflow would help with those use cases 
<br>either (at least without some additional components).<br><br>James.<br></blockquote></span></div></div><br></blockquote></div><br></span></div>

------=_Part_2109_19302950.1188575934788--


More information about the specs mailing list