[OpenID] OpenID provider with gibberish identity URLs to avoid nickname change issues
Stuart Bishop
stuart.bishop at canonical.com
Wed May 30 07:03:43 UTC 2007
Josh Hoyt wrote:
> On 5/28/07, Stuart Bishop <stuart at stuartbishop.net> wrote:
>> I am working on turning a webapp into an OpenID provider. One if the
>> features of the webapp is that the user's nicknames are changable.
>
> In general, I'd recommend against "turning a webapp into an OpenID
> provider." For security reasons, it's usually better to run a separate
> application that acts as an OpenID provider and enable your
> application as a relying party. There are certainly cases where this
> doesn't make sense (e.g. the purpose of your application is to support
> several single-sign-on protocols for users), but in general, you're
> better off compartmentalizing the OpenID server component so that any
> vulnerabilities in your application won't affect your users' accounts
> on other sites.
This is fairly close to what we are doing - first we are splitting out the
authentication and then turning the various components of the webapp and
various other systems into OpenID consumers once that is in place.
> The problem of recycling identifiers is one that we are attempting to
> tackle right now for OpenID 2.0. In the meantime, your solution will
> definitely work. I think that the usability might be better if the
> redirect were to https://openid.example.com/nickname/<version number>
> so that it's easier for humans who see the URL to differentiate
> between users of your provider.
Hmm... I think I might run with that idea. Thanks :)
> There are two problems with trying to do this with OpenID 1.1. First,
> you can't do the redirection on a per-relying-party basis, because you
> don't know who the relying party is when they request the identity
> URL. Second, the OpenID 1.1 specification does not allow for returning
> a different identifier than the one that was requested.
I see. I hadn't throught this through correctly.
--
Stuart Bishop <stuart.bishop at canonical.com> http://www.canonical.com/
Canonical Ltd. http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070530/856658f0/attachment-0002.pgp>
More information about the general
mailing list