[Openid-specs-ab] Spec call notes 7-Jun-12

Justin Richer jricher at mitre.org
Fri Jun 15 21:29:07 UTC 2012


I dislike "external_username", since the claim is being made by the IdP, 
where it's not external at all. At the IdP, it's the user's username, 
whatever that means to the IdP under whatever rules the IdP has. At the 
RP, it's what the user has asked to use as a username through their IdP, 
which the RP may or may not honor.

The reason that it remains "preferred" is that the RP might not be able 
to (or might not want to) grant that username to the user for multiple 
reasons, including but not limited to:
   - size restrictions (I ask for "justinricher" but the RP has an 
8-char limit)
   - character restrictions (I ask for "j_richer" but the RP can't 
handle an underbar in the username)
   - format restrictions (I ask for "J.Richer" but the RP can only 
handle lowercase ASCII letters)

All of my examples are strawmen, but based on experience with real apps. 
It's up the the RP to either reject or transform the 
"preferred_username" coming in so that the user gets something local. In 
all three cases above, the RP might decide that I'm really just 
"user123", which isn't *preferred* by me, but it'll get me through the 
door. And in many RPs, I'll be able to set this to something I actually 
want that fits the RP's requirements through some kind of account sync 
page, but it's up to the RP to handle that. The account is going to be 
bound to some local User object in a database somewhere that has some 
kind of unique primary key which may or may not be a username as well -- 
some user email address for that, some use a completely independent key. 
We need to give the IdP a chance to hand over *something* that the RP 
will have a chance to chew on, if the IdP has it, but there are no 
guarantees that this will actually give someone the same effective 
username on both systems.

Several OpenID 2.0 services do this today with the SREG/AX username 
claim. If you don't provide one, they'll make something up for you and 
let you edit it later. Stack Overflow is among them, in my experience.

So while I personally prefer "username", I'm perfectly happy with 
"preferred_username" as it lessens one possibility of misuse and doesn't 
confuse the intent of the field like other suggestions have.

  -- Justin

On 06/15/2012 04:55 PM, Sascha Preibisch wrote:
> "preferred_username" for me implies that there is a non-preferred_username available too. But as far as I understand the discussion it is about the one and only username a user wants to be referred to at a RP.
> This username might or might not be the same as which the RP internally refers to the user.
>
> Therefore I would like to suggest "external_username". The name under which a user wants to be referred to outside the RP.
>
> Regards,
> Sascha
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
> Sent: Friday, June 15, 2012 1:26 PM
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Spec call notes 7-Jun-12
>
> +1 for preferred_username.
>
> username_hint may confuse people with handling of forgotten usernames / passwords.
>
> Vladimir
>
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>
>
>
> -------- Original Message --------
> Subject: Re: [Openid-specs-ab] Spec call notes 7-Jun-12
> From: Justin Richer<jricher at mitre.org>
> Date: Fri, June 15, 2012 5:23 pm
> To: Mike Jones<Michael.Jones at microsoft.com>
> Cc: John Bradley<ve7jtb at ve7jtb.com>, Vladimir Dzhuvinov / NimbusDS<vladimir at nimbusds.com>, "openid-specs-ab at lists.openid.net"
> <openid-specs-ab at lists.openid.net>
>
>
> In case my previous response gets lost in the list traffic, I would rather see "preferred_username" instead of "username_hint" to match the PoCo naming of this same field.
>
>   -- Justin
>
> On 06/15/2012 12:09 PM, Mike Jones wrote:
>> +1 that the name "username_hint" would cut down on errors by people who don't closely read the spec.
>>
>> -----Original Message-----
>> From: openid-specs-ab-bounces at lists.openid.net
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John
>> Bradley
>> Sent: Thursday, June 14, 2012 5:42 AM
>> To: Vladimir Dzhuvinov / NimbusDS
>> Cc: openid-specs-ab at lists.openid.net
>> Subject: Re: [Openid-specs-ab] Spec call notes 7-Jun-12
>>
>> I would be happier with username_hint as it will cut down on errors by people who don't read the spec.
>>
>> I have had to deal with enough issues in openID 2 where RP don't read the spec do something stupid and the media blames openID. I know we can't stop that completely, but I know if it is called username in a year or so there will be a security incident, that is not the specs fault but we will be blamed anyway.
>>
>> If there is a good reason for calling it username I won't try to block it. At the moment the logic is mostly that is what facebook calls the element that they put the users profile page subsegment into.
>>
>> John B.
>>
>> On 2012-06-14, at 11:35 AM, Vladimir Dzhuvinov / NimbusDS wrote:
>>
>>> username_hint seems to reflect the claim purpose better!
>>>
>>> + 1
>>>
>>> Vladimir
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list