[OpenID] Graphical UIs

George Fletcher gffletch at aol.com
Thu May 14 19:58:10 UTC 2009 

Great topic! When it comes to customizing the OP UI based on the RP... 
I'm very concerned about "phishing" (e.g. one site causing another 
site's UI customizations to be displayed and confusing/tricking the user).

I wonder if we couldn't leverage off the existing OpenID + OAuth hybrid 
to create a mechanism to deliver a signed OpenID AuthN request. If the 
signature is valid, the customizations are displayed. If the signature 
doesn't match, then just display the "generic" UI. This way the user 
isn't kept from logging in, but the UI customizations are only displayed 
if the invoking service is verified.

Thanks,
George

Breno de Medeiros wrote:
> Taking the opportunity of the popup UI announcement, I would like to
> open a conversation that is not necessarily OpenID specific, but which
> is certainly directly related to our OpenID UI implementation. So this
> forum is probably as good as any to take it up. I am talking about
> branded graphics representing RPs in the OP authorization page. Or
> even ye olde favicon.ico's.
>
> We would like to be able to do that without managing whitelists.
> Currently we have a few whitelisted RPs for which we show a page that
> includes their favicon.ico via whitelisting, but that comes with high
> overhead. Instead,I have in mind something simple and not really
> OpenID specific. A site that wants its favicons to show up in 3rd
> party sites to represent them can add a link to some well-known
> location. I am thinking the /host-meta or /;well-known/host-meta
> proposed URL, containing a single Link syntax such as:
>
> Link: </favicon.ico>;
> rel="http://example.com/use_this_image_to_represent_my_brand_in_approval_pages_for_authorization_requests_if_I_send_users_your_way"
>
> The reason why this is useful is that simply because someone posts a
> favicon.ico in their website, it does not mean that they have approved
> it being used for other purposes beyond showing up on the URL bar of
> user's browsers. So scraping RP's favicons without something like this
> may not be feasible.
>
> Of course, such a simple mechanism can support publishing other icon
> sizes, for example.
>
> I understand that there are many questions (phishing comes to mind)
> that this proposal does not address, and that some (maybe most)
> parties may want to enforce whitelists in all circumstances. On the
> other hand, it could turn out to be useful and easy to implement.
>
>
>

More information about the general mailing list