[OpenID] Password age and password reset

Andrew Arnott andrewarnott at gmail.com
Fri May 15 00:22:48 UTC 2009 

Peter, the claimed identifier which the RP associates with the local
user account is the same for every login regardless of which OP in the
xrds is selected to authenticate the user. You seemed to say that if
OP #3 was selected the RP might not recognize the asserted user but
the selected OP should be irrelevant. Or am I misunderstanding you?

On Thursday, May 14, 2009, Peter Williams <pwilliams at rapattoni.com> wrote:
> "Every RP must be conscious of which OP asserted the user the last time he logged into the RP in order to verify the assertion.""
>
> Here is my logic.
>
>
> User goes to Rapattoni RP. User types in (or selects) vanity openid. Openid Auth completes, once the RP selects 1 of several available OPs published by the user. RP specific logic then takes the final state of openid auth protocol engine (the identity claim) and maps it -- using local means -- to an already provisioned (local) RP account, which mints a local session. No further interaction with openid auth protocol occurs for the duration of the session, and the openid state is discarded (having no further role to play).
>
> When the local session times out, the user is prompted with a Rapattoni local logon page (which may be an IDP accessed by SAML redirect or Microsoft ASP.NET formsauth/ASP.NET sessionid fault-based redirect, for all it matters). If the user clicks app logout, similarly, the local IDP is accessed and rendered - whose landing page may present a list of OPs in addition to the local (password) authentication controls.
>
> The openid authn procedure (above) then happens again, by user choice. Per the rules, the RP happened to select the 2nd of the OPs in the users XRDS, which happens to match the second openid bound to an RP local account . Life is similarly fine. On logout, the local IDP screen is presented.
>
> The third time through, the RP selects the 3rd OP published in the user's XRDS which does law#4, and returns an openid URL to which no RP local account is actually bound.  There are no exception procedures in the standard for this case, the RP does NOT attempt to recover from this failure, the RP does not recall the 2nd openid used: and, it does not talk to the 2nd OP soliciting an assertion "for the last openid used".
>
> Is there anything abnormal about what I wrote above?
>
>
>
>
>
>
> ________________________________
> From: Andrew Arnott [andrewarnott at gmail.com]
> Sent: Wednesday, May 13, 2009 4:54 PM
> To: Peter Williams
> Cc: Breno de Medeiros; Santosh Rajan; general at openid.net
> Subject: Re: [OpenID] Password age and password reset
>
> Why do you say the RP doesn't know which OP introduced the current session?  If it cared to know, it could store that information easily enough.  Every RP must be conscious of which OP asserted the user the last time he logged into the RP in order to verify the assertion.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
>
>
> On Wed, May 13, 2009 at 12:23 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
> In the delegated case , the rp does not know which op introduced the current session.  The id and endpoint of the  asserting op is not stored state info. The op used on the next run of openid auth may not be the same as the previous session (since it depends on on criteria, and the latest vals in the vanity xrds). If we had identiless transaction (that "resume" a previous security context, cryptographically) we'd be in better shape.
>
> -----Original Message-----
> From: Breno de Medeiros <breno at google.com<mailto:breno at google.com>>
> Sent: Wednesday, May 13, 2009 2:44 PM
> To: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
> Cc: Santosh Rajan <santrajan at gmail.com<mailto:santrajan at gmail.com>>; general at openid.net<mailto:general at openid.net> <general at openid.net<mailto:general at openid.net>>
> Subject: Re: [OpenID] Password age and password reset
>
>
> On Wed, May 13, 2009 at 11:07 AM, Peter Williams
> <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
>> Out of interest, assuming the user has bound several openids to the rp account,which op gets all this data? The one introducing the current session, or all of them?
>
> I assume the OP that the user is trying to use to login now?
>
>>
>> Does the rp using a vanity openid need the users consent before reporting suspicious or improper (user) conduct to a third party (the op)? Or should the transfer be covert?
>
> In what I am proposing the transfer is intermediated by the browser,
> so not covert.
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>

-- 
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre

More information about the general mailing list