.Nat Zone

Digital Identity et al.

OpenID AB and Attributes – OpenID Connect?

   


So, when the sun rises, it is the 10th IIW day.

I hoped to prepare more, but with the current ill-health, this probably is the most I could.

Here is the new version of OpenID Artifact Binding (AB) .

Repository: http://bitbucket.org/openid/ab/

Browser Friendly Cache: HERE

For those of you who do not know, OpenID/AB is a chartered Working Group at the OpenID Foundation, and aims to create another binding for OpenID, so that it is

  1. More Secure so that it can go all the way up.
  2. Browser URL length limit friendly.

In addition, we have been targeting to make it

  1. Very easy to write libraries, only with standard libraries
  2. Very easy to implement for RP. For lower assurance RPs, it should be just a matter of pasting a javascript snippet, and a link.
  3. Highly scalable: Completely stateless so that it can scale

I think the goal has been achieved as of draft 06.

It is using OAuth2.0 as the base protocol, and is building identity layer on top of it. Unlike David’s OpenID Connect straw man, it is not overloading the access token of OAuth2.0, so we can use that as OAuth token even for this OpenID flow.

I have implemented it myself (not being a professional programmer, it took more time than it should – besides, it was the first time for me to write anything in Javascript, and how-do-I-debug it???) in couple of days, in Javascript and PHP.

The size of the code shows how easy it is.

OP (PHP): 251 lines including debug codes and comments, as well as HTML.
RP (PHP): 109 lines including debug codes and comments, as well as HTML.
Magic Signatures Library: 83 lines including documentation.
AES Encryption Library (wrapper): 30 lines.

So, in total, it is 373 lines including documentation and debug codes.

AND: it supports asymmetric signature for non-repudiation, completely stateless OP, and my (proprietary version of) attribute exchange.

You can test drive them here: TEST DRIVE

Nice thing about what I did here for the attribute exchange is that the relying party can ask what combination so ever that the RP wishes of any of the attributes supported by the user. It is just a matter of making a “Request Parameter File”, which looks like this.

{
“ns”:”http://specs.openid.net/auth/2.0″,
“mode”:”direct_checkid_setup”,
“client_id”:”http://rp.tonescape.net/”,
“claimed_id”:”http://specs.openid.net/auth/2.0/identifier_select”,
“identifier”:”http://specs.openid.net/auth/2.0/identifier_select”,
“redirect_url”:”https://openid4.us/rp/rp.php”,
“atype”:”openid2json+sig”,
“ns:ax”:”http://openid.net/srv/ax/1.0″,
“ax:mode”:”fetch_request”,
“ax:avatar”:””,
“ax:nickname”:””,
“ax:lastname”:””,
“ax:firstname”:””,
“ax:gender”:””,
“ax:birthyear”:””
}

By change the “ax:lastname” to “ax:lastname#ja_Hani_JP”, I can get her Kanji name as well. It is that simple.

Not only that, you can push the write the attributes as well.
Just change “fetch_request” to “store_request”, and provide values to the attributes.

I have not implemented the following features yet, but should not take too much time.

  • immediate: it should add only a few lines of code…
  • payload encryption: Now that the encryption lib is done, it should be simple

Perhaps you can help :-).

 - Uncategorized