[OpenID] OpenID Auth integrity vs data origin authentication

Peter Williams pwilliams at rapattoni.com
Sun Aug 26 20:59:38 UTC 2007 

Summary 

 

I don't want to have AX delivering method-URI authorizations to the
consumer (based on the FOAF work on another thread, here) if its
intended that OpenID Auth is intended to evolve to handle method-level
authorizations.

 

 

Detail

 

I've been single-stepping the JanRain c#/Boo reference implementation of
the consumer.

 

The implementation shows that, in the "checkid_setup" state, the client
invites the server to being a secure-bind - by the server sending an
association-protected token. The consumer will match this to a pending
token stored in session state, in a constant-named dictionary entry. 

 

3 observation:-

 

1.  As the Boo consumer uses a constant name to query the name=value
session cache, ASP.NET sessionID would seem to be a critical,
distinguished value in this implementation. After all, it determines
which cached session the OpenID consumer will now query for the
dictionary value, if a checkid_setup response (openid.mode=id_res) is
received.

 

2.  The structure of the code suggests that a consumer could have
multiple outstanding tokens per ASP.NET sessionId, any one of which a
server could target when also presenting a FormsAuthentication cookie,
say.

 

3.  trust_root value is not part of the HMAC'ed consumer-side token

 

 

Given the declared function of checkid_setup is to "Ask an Identity
Provider if a End User owns the Claimed Identifier", given the way the
token handling code is written, and given the trust root URI is
distinguished from the claimed URI, let me ask a question:

 

Is the OpenID Auth architected to allow a more advanced consumer
implementation to ask the server via  several checkid_setups whether a
user has "access rights" to a set of particular URIs (e.g. the subweb of
the consumer, the interface methods on some consumer-side "object", or
some consumer-side objects' own URIs)?

 

I don't want to have AX delivering method-URI authorizations to the
consumer (based on the FOAF work on another thread, here) if its
intended that OpenID Auth is intended to evolve to handle method-level
authorizations.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070826/07445f79/attachment-0002.htm>

More information about the general mailing list