[OpenID] Automatic OP-driven identifier selection leads to "wrong" OpenID URL

Thu Oct 6 00:21:42 UTC 2011

How the OP allows you to choose or remember what identifier you used at a particular RP is up to the IdP.

The RP could use the regular non identifier select flow to the IdP,  however many IdP like Yahoo just treat all requests as identifier select.

In openID 1.1 the RP couldn't pick the identifier, they could only use the URL that user entered (after normalization).

The difference between openID 1 and openID 2 is that the OP returns the identifier and it could be anything.

The issues are slightly different for OP like Google who use automatically generated pairwise identifiers for each RP to protect privacy and prevent correlation.

In the pairwise identifier case, if you hang the RP realm each time you would never be able to log back in, so that is probably a bad idea.

I would have to know the OP to explain what they are actually doing.  It may not be quite what you are imagining.

Regards
John B.
On 2011-10-05, at 8:31 PM, ChO₂ wrote:

> Dear List,
> 
> I have a question about OP-driven identifier selection. When I
> authenticate with a RP using OpenID, my OP lets me choose between
> several identifiers. Next time I log in to the same site, my OP will
> automatically use the same identifier again and I am not given the
> option to change this behavior. While this is very useful in most cases,
> it may cause problems:
> 
> 1) I cannot identify to the same RP with several different identities
> that belong to the same OP account.
> 2) If a RP moves to a different URL and I choose the wrong identifier on
> my next login, I'll be locked out from my RP account forever.
> 3) I cannot tell my OP to use a different identifier for a particular
> RP, e.g. in order to confirm my email address.
> 4) When two RPs decide to merge, I will loose access to either account
> and I can't merge the two accounts.
> 5) The OP may authenticate the user as the wrong identity even when the
> user has entered a different but complete OpenID identifier.
> 
> Does someone have an idea how these issues are supposed to be addressed?
> 
> A possible workaround would be to modify the RP so that it pretends to
> be a different RP on each log in (or when the user requests it to do
> so). This would prevent the OP from automatically authenticating the
> user with the "wrong" identifier.
> 
> I would also be interested to learn whether there's a way for RPs to
> disable OP-driven identifer selection in OpenID v2.0 (i.e. the
> identifier will be chosen by the RP, as in OpenID v1).
> 
> Regards, ChO2
> 
> 
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20111005/330742cc/attachment.p7s>