.Nat Zone

Digital Identity et al.

OpenID Provider Selection Protocol?


In case when the site want to use OP Identifier, the site typically shows list of icons of the OPs. This list grows quickly and results in User Interface Nightmare a.k.a. “Nascar Problem”.

Various people have been working on this, such as IDIB efforts and some Infocard integration, but to me, there seems to be even simpler solution.

I have been wondering why nobody proposes this.
It is extremely simple.

Simply add your OP Identifier to the end of User Agent string, separated by semi-colon. For example, if you are using Safari, and if your OP is mixi.jp, then it would be like:

Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9.1;op=mixi.jp

Creating custom header in IE is a bit of problem, but the UA string is an exception and can be changed just by changing a registry entry as far as I know. Most other major browsers provide ways to set the user agents.

The RP, upon receipt of the above string, extracts mixi.jp and redirects user to mixi.jp automagically. If he has a session there, which is likely, he may be returned to the site immediately.

True that it reveals your OP to every site. Some people may consider it a privacy problem, and some would complain about the security implication, but how real would be an attack using that information? Not much, I think. Anti-Phishing? It should be dealt with other mechanisms.

 - Uncategorized