[OpenID] Delegation leading to new accounts on websites

John Panzer jpanzer at acm.org
Mon Jun 22 19:48:36 UTC 2009 

+1.  Though on 5, the OP ought to warn the user that they're about to 
authenticate with a login other than the one they typed in originally.  
This may confuse them, but landing them in an RP with a totally new 
identity is arguably worse.

(It would be better of course for the OP to be able to support 
delegation correctly.)

George Fletcher wrote:
> If I understand this correctly...
>
> 1. I enter http://www.flickr.com/photos/gffphotos (shameless plug for 
> my photo stream:)
> 2. The RP  normalizes the "user entered identifier" (in this case it's 
> the same URL)
> 3. The RP does discovery on the "user entered identifier" and the HTML 
> defines the OP as yahoo (no local_id)
> 4. The RP sends the AuthN request with 
> openid.identity=http://www.flickr.com/photos/gffphotos
> 5. Yahoo ignores the openid.identity field and does directed identity
> 6. Yahoo sends back an 
> openid.claimed_id=https://me.yahoo.com/<randomstring>
> 7. Since the openid.identity value the RP sent does not equal the 
> value the OP returned, the RP does discovery on the 
> https://me.yahoo.com/<randomstring>
> 8. Discovery shows that the yahoo OP is indeed authoritative for the URL
> 9. The RP has to ignore the value entered by the user (e.g. 
> http://www.flickr.com/photos/gffphotos) and just use the value the OP 
> returned (e.g. https://me.yahoo.com/<randomestring>) because there is 
> no way to know whether the returned identifier from yahoo actually 
> maps to the value entered by the user
>
> The following is also true if I try and delegate my vanity URL to an 
> flickr based OpenID.
>
> I believe that if the RP sends an identifier for the user that is NOT 
> the directed identity select URL, then the OP should either (A) 
> authenticate only the specified identity or (B) fail the request. 
> Allowing the request to succeed but for an identity totally different 
> than what the user identified to the RP is just confusing.
>
> Thanks,
> George
>
> P.S. More comments inline
>
> John Bradley wrote:
>> George,
>>
>> The combination of directed identity is still a real interop issue 
>> because it is not well explained in openID 2.0.
>>
>> When the claimed_id (less fragment)  or the identity are different in 
>> the response from the request the RP must rediscover the 
>> openid.claimed_id.
>>
>> If delegation was done the openid.identity must match the LocalID in 
>> the XRD.
> I don't think this will work in the Yahoo case. The openid.identity 
> value returned by Yahoo is the https://me.yahoo.com/<randomstring>. If 
> I do a discovery on this identifier, it case say that the "LocalID" at 
> Yahoo is the same value, but that doesn't mean it matches to the URL 
> the user entered at the RP. If the XRDS response, somehow ties the 
> directed identity value back to the flickr URL the all the 
> pseudonymous benefits of directed identity are broken.
>>
>> If the RP doesn't do this step anyone with a Yahoo account can log 
>> into any openID that is delegated to Yahoo.
> It isn't the discovery of the returned openid.claimed_id value that 
> protects against this case. It's the fact that the RP ignores the 
> value the user entered and even it's associated local_id value and 
> instead just uses the values returned by the OP. It is impossible to 
> associate in anyway the value the user entered with the value the OP 
> returns.
>>
>> Yahoo is following the spec as intended. 
>> There is an OSIS test for RPs to check if they are vulnerable to this.
>>
>> If the second discovery verifies then 1 can still be used safely as 
>> the users identifier.
>>
>> I had to sit Johnny Bufu down to explain it to me what they intended 
>> when they wrote 2.0.
>>
>> I couldn't extract the logic from the spec itself for the delegating 
>> to a directed identity flow.
>>
>> John B.
>>
>> On 22-Jun-09, at 11:45 AM, general-request at openid.net 
>> <mailto:general-request at openid.net> wrote:
>>
>>> Date: Mon, 22 Jun 2009 11:44:03 -0400
>>> From: George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com>>
>>> Subject: Re: [OpenID] Delegation leading to new accounts on websites
>>> To: Andrew Arnott <andrewarnott at gmail.com 
>>> <mailto:andrewarnott at gmail.com>>
>>> Cc: "general at openid.net <mailto:general at openid.net>" 
>>> <general at openid.net <mailto:general at openid.net>>
>>> Message-ID: <4A3FA6C3.9060305 at aol.com 
>>> <mailto:4A3FA6C3.9060305 at aol.com>>
>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>
>>> Isn't one of the underlying issues the fact that there are really 3 
>>> identifiers in this scenario?
>>> 1. the identifier entered by the user (claimed_id or i-name)
>>> 2. the discovered/resolved identifier ("local_id" or "i-number")
>>> 3. the identifier returned by the OP
>>>
>>> In the case of OpenID 2.0 protocol flow, the RP has to remember #1 
>>> and send #2 as the openid.identity parameter. If the OP does NOT 
>>> return openid.identity == #2, then the OP has chosen to do directed 
>>> identity regardless of the request and the RP must throw out #1 and 
>>> take #3 as the user's identifier.
>>>
>>> This causes some weird user experience issues, but this is what we 
>>> ran into when implementing OpenID 2.0 Relying Party support.
>>>
>>> Thanks,
>>> George
>>
>> = 
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list