[OpenID] One-Click OpenID: A Solution to the NASCAR Problem

John Bradley ve7jtb at ve7jtb.com
Thu Feb 16 22:02:20 UTC 2012 

At some future point there may be many IdP with rich attributes and API that RP are willing to take.

Probably they need to have some sort of trust framework or central management to track that information.

I agree that RP preference needs to be fed into the mix, though doing that without leaking PII to a potential RP is an issue.

With Account chooser while it asks for a email address the IdP doesn't need to be an email provider.   Only the domain name is used to perform discovery at this time.

It is a mistake for the RP to treat the user input string as being validated in any way.   

The reason for asking for an email address is that people tend to understand the question, and if the domain doesn't have a SSO service the email can be used to bootstrap the local account creation process.

If we can come up with another identifier type/decryption that is understandable to users that could be used as well.

I think account chooser is the path most likely to succeed.  It also has the advantage of being protocol agnostic.  
It could work with openid 2, openID Connect, SAML or other protocols if the RP supports them.

It also allows the IDP flexibility on the primary authenticator.  Custom soft certs, smart cards, phones, or other methods can be used.

Regards
John B.




On 2012-02-16, at 6:12 PM, Allen Tom wrote:

> Hi Francisco,
> 
> Thanks for sharing! 
> 
> One of the appealing aspects of your proposal is that it enables users to login with an account from any OpenID Provider, as opposed to being limited to a small set of NASCAR buttons. However, websites generally limit the choices available to users in order to persuade the user to login using a high value account with data and services (name, verified email address, social sharing, profile, Likes, etc).
> 
> In practice, not many websites want to users to login with 3rd party accounts unless they're guaranteed to get some data/services - it seems that most sites would rather have the user register a new local account with a password if the user doesn't want to use one of the NASCAR buttons.   Account Chooser and Mozilla's BrowserID are both relatively email-address centric because verified email address seems to be the bare minimum that sites need to to get in order to justify accepting a 3rd party login relative to just registering a local account.
> 
> Does your proposal have a way for an RP to specify the requirements for accounts that are acceptable for users to login with? For instance, an RP may only accept OpenIDs from OPs that share the user's verified email address. 
> 
> Thanks
> Allen
> 
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120216/85405a4b/attachment-0001.p7s>

More information about the general mailing list