[OpenID] Problems with delegation and directed identity OPs

John Bradley john.bradley at wingaa.com
Thu Nov 6 18:50:27 UTC 2008 

Deron

My advice is don't delegate to OP's that are using directed identity.

You will get unpredictable results from RP's depending on how they  
preform validation of the returned claim.

In an upcoming openID 2.1 errata we are hoping to clarify this in the  
spec.

In sec 11.2 of OpenId 2.0

The verification rule is that if ether the openid.claimed_id or  
openid.identity changes then discovery must be preformed on the  
openid.claimed_id the openid.op_enpoint must match a URI value in the  
openID service.

What people get confused about is that if the openid.claimed_id is  
different from openid.identity then openid.identity must match the  
<LocalID> element.

So in your yahoo example your <LocalID> is http://yahoo.com/ and the  
openid.identity is https://me.yahoo.com/a/3Uz4wakJ.....etc.

If they matched then you would be good to go.

However if you use an RP who is not properly checking the  
openid.identity against the discovered information(a lot of them)  
anyone with a yahoo account can log into those RPs as http://deron.meranda.us/

Verisign works because the <LocalID> matches what is returned in  
openid.identity.

Google is not supporting delegation as far as I can tell probably  
smart on there part.

The other thing that you will notice is that RP's are not all doing  
service selection according to the XRI 2.0 spec I have seen priority  
ignored or sometimes in reverse order in testing.

That is another thing that needs cleaning up in openID 2.1 and the  
upcoming XRD spec that replaces XRDS-Simple and Yadis.

I hope this helps.

Regards
John Bradley
=jbradley

Date: Thu, 6 Nov 2008 11:59:07 -0500
From: "Deron Meranda" <deron.meranda at gmail.com>
Subject: [OpenID] Problems with delegation and directed identity OPs
To: "OpenID List" <general at openid.net>
Message-ID:
	<5c06fa770811060859v52f661ael5bccd1fcee1b19b9 at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

I am trying to use delegation with OPs that use directed identities and
I'm having problems getting it to work.

I want to use my own domain as my claimed identity
<'http://deron.meranda.us/'>, but delegate to a public OP.  So I set  
up an
XRDS document under my domain (using an X-XRDS-Location header).

I've tried this with three different public OPs that have different  
behaviors:

  Verisign PIP - fixed identity
  Yahoo! - directed ID , can choose among a set of IDs (default is  
randomish)
  Google - directed ID, random per-RP identities

The XRDS document I'm serving from my domain contains these services:

        <!--  **** GOOGLE **** -->
        <Service priority="1">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://www.google.com/accounts/o8/ud</URI>
            <LocalID>https://www.google.com/accounts/o8/id</LocalID>
        </Service>

        <!-- **** VERISIGN **** -->
        <Service priority="2">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://pip.verisignlabs.com/server</URI>
            <LocalID>https://dmeranda.pip.verisignlabs.com/</LocalID>
        </Service>

        <!-- **** YAHOO! **** -->
        <Service priority="3">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://open.login.yahooapis.com/openid/op/auth</URI>
            <LocalID>http://yahoo.com/</LocalID>
        </Service>

Now what I'm seeing varies depending on OP (I adjust the priority levels
to test each one)...

Verisign: Works.  My RP gets a success with:
   openid.claimed_id = 'http://deron.meranda.us/'
   openid.identity = 'https://dmeranda.pip.verisignlabs.com/'

Yahoo!: Almost works; Yahoo! let me pick which ID to use and returns
success with
   openid.claimed_id = 'http://deron.meranda.us/'
   openid.identity = 'https://me.yahoo.com/a/3Uz4wakJ.....etc.....'
but then the RP fails while validating the response
   "OpenID authentication failure: No matching endpoint found after
discovering http://deron.meranda.us/"

Google: Works, but I don't keep my claimed id
   openid.claimed_id =
'https://www.google.com/accounts/o8/id?id=AItOaw.....etc.....'
   openid.identity =
'https://www.google.com/accounts/o8/id?id=AItOaw.....etc.....'

So how do I get OPs like Yahoo! and Google to delegate in the same way
that Verisign does?
-- 
Deron Meranda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081106/a0bb2d18/attachment-0002.htm>

More information about the general mailing list