Identity Loss with OpenID 2.0

OpenID 2.0 has a problem such that permanent unique identifier generation is delayed until it gets to the authentication service. As a result, a user has no ability to change the authentication service. This implies that

  1. a user cannot change the authentication service according to the authentication method requirement,
  2. he cannot enjoy the fail-over of the authentication service.
  3. Moreover, if the OpenID Authentication Service cease to exist, he will loose his online identity – He will become unable to login to many sites. IMHO, this is the worst weakness of OpenID 2.0. This is not theoretical. With several OP going away recently, this is the reality.

This needs to be addressed.

The way to address it is to leverage on the Discovery service, like XRI. The Discovery Service should return the permanent identifier, and authentication service should just use it.

The flow is like this.

Case 1: User Specified Identifier

In this use case, the user does not care too much to be anonymous to the RP, so he enters his identifier to the RP. This is the basic case.

  1. The user access the RP and enters his identifier (Display Name/Alias).
  2. The RP finds out the discovery service for the identifier through appropriate bindings. (The simplest case is that the user supplied identifier is the location of his XRD.)
  3. The RP obtains the XRD document associated with the identifier.
  4. In the XRD document, there is a permanent and unique identifier (Canonical ID/Subject) as <Subject> and bunch of OpenID Authentication Services (AS).
  5. The RP chooses the highest priority AS and creates AuthN request with Alias+Subject (AuthnReq).
  6. The RP sends AuthnReq to the AS. [1]
  7. AS authenticate the user by making him enter password etc.
  8. AS creates the AuthnResponse and sends it back to the RP.
  9. RP verifies the AuthnResponse

Note that by the time it reached the authentication stage, the identifier is completely specified so it makes no difference when on switched the authentication service.

BTW, this URI in the diagram is in essence a Discovery Service.

Case 2: OP Identifier

If the user cares to be anonymous, he needs to use OP identifier. This means there is an extra steps before.

  1. The user accesses the RP and specifies his Discovery Service (e.g., clicking on the button).
  2. The RP redirects user to the Discovery Service (DS).
  3. The User enters his identifier
  4. The DS generates an XRD with PPID (Pairwise Pseudonym Identifier) and returns it to the RP via browser redirect
  5. Upon receipt of PPID, RP starts the process described in Case 1 using this PPID as the user’s identifier.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.