[OpenID] google/myopenid/plaxo. Ensuring Authority to delegate or assert

Sun May 31 20:33:44 UTC 2009

Was wondering whether it time as a (future) RP to consider deploying the open source freexri server suite, to facilitate large scale delegation (by RPs).

So, I played with services already offered by others - with some success. Though the sites involved are rather technical, the experiment proved to me useful stuff can all be done - and be done as you'd expect on the multi-vendor web. Far from being a naive protocol, the openid auth protocol is proving remarkably adept - in principle - at some advanced security models.

The final result (today)  is less than one would expect tho.

My gut feeling is that just a little, focused inter-vendor testing would get us passed the hurdles seen - giving openid a shot at a much higher reputation as a general-purpose, security services infrastructure.

1. Google

freexri.org is an RP that allows one to login with an openid. So, I clicked Login, and at the end of the page I enter the default openid from google: https://www.google.com/accounts/o8/id.

That RP now allows me to register a name. I chose @blog*googlelock.

In the openid section, there are many options: I simple chose the SSO defaults, introduced by "I already have an OpenID. I want @blog*googlelock to point to my existing OpenID"

This is supposed to allow me bind my shiny new name to yet more ugly one google assigned me, at this RP. It auto-detects (and will not allow override of) the google server URL https://www.google.com/accounts/o8/ud

Choosing to logout of this service, I saw fit to now question whether it would work: Can I login back in again via websso using my shiny new name for my google openid:  @blog*googlelock, where google would properly do its stuff (just as last time)?

The RP nicely warned me that "we are now going to ask your OpenID provider at https://www.google.com/accounts/o8/ud to authenticate you."

Taking the option, the Google OP gets upset and will not provide me with its otherwise excellent openid experience.

Trying a signin via openid at plaxo, a similar experience occurs, where one gets a google error: given the url https://www.google.com/accounts/o8/ud?openid.assoc_handle=AOQobUfimkyFKo72LaBqy8WWzX1POQY6rYCDsacHh922vIXhQF99HM8NDCOEYDVIiJE_8l17&openid.ax.mode=fetch_request&openid.ax.required=attr1%2Cattr2%2Cattr3%2Cattr4%2Cattr5&openid.ax.type.attr1=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.type.attr2=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ax.type.attr4=http%3A%2F%2Faxschema.org%2Fcontact%2Fcountry%2Fhome&openid.ax.type.attr5=http%3A%2F%2Faxschema.org%2Fpref%2Flanguage&openid.claimed_id=%40%21E459.819D.771.7990%210e1d.ffec.2286.5ece&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.realm=http%3A%2F%2F%2A.plaxo.com&openid.return_to=http%3A%2F%2Fwww.plaxo.com%2Fopenid%3FactionType%3Dcomplete%26r%3D%252Fevents&openid.sreg.optional=nickname%2Cemail%2Cfullname%2Cdob%2Cgender%2Cpostcode%2Ccountry%2Clanguage%2Ctimezone&openid.sreg.policy_url=http%3A%2F%2Fwww.plaxo.com%2Fabout%2Fprivacy&openid.sreg.required=email&openid.trust_root=http%3A%2F%2F%2A.plaxo.com

2. myopenid

Then, I tried all the above steps again, dumping Google for myopenid (a solid standby for conformance and interoperability).

1. Signup to freexri.com uing https://home_pw.myopenid.com

2. Minted myself another name @blog*myopenidlock as a result of the myopenid assertion that I released, post SSL client-cert based authentication

3. Chose to let freexri.com register that my shiny new name should point to myopenid

4. logout of RP

5. Sign back in to RP using @blog*myopenidlock

But I then ran into authority problems: "myOpenID is not authorized to verify that @!E459.819D.771.7990!7211.555a.66db.2c40 is your identifier. If it is your identifier, you can set up myOpenID to verify it. See the help page<https://www.myopenid.com/help#own_domain> for more information."

when trying to exploit the shiny new @blog*myopenidlock at plaxo's openid page, there is a fair amount more success in contrast (assuming "success" is not really simply a failure to properly handle the authority of name spaces).

Assuming, I'm happy to release assertions from myopenid (which DID cooperate with clickpass.com/plaxo) to some entity known as clickpass.com, I was ultimately given the opportunity to bind (some or other verified name) to my plaxo account.

In SAML2 terms, I seem to have now got from the openid and freexri movement most of what I would have got from the SAML standard implementing the relying party name-affiliation model for directed/ pseudonymous identities (when half-crossed with the SAML2 name id mapping function, performed by an *RP* rather than IDP)