Geek Answers Handbook

How does the OpenID Delegation work on the Avatar Party? Have specifications changed recently?

Consider this scenario. I have my own website, which I use as my identifier, but I use a third-party OpenID provider (in my case yahoo), as described here , to log into Relying Party (RP) sites such as stackoverflow and sourceforge.

It seemed like a wise move:

  • I am not blocked by the OpenID provider, because if / when yahoo no longer offers the service or starts charging for it, or I no longer trust it, I can safely switch the provider.
  • I have no economic, administrative, or security burden to install and support the OpenID provider on my server.

Question

How should RP work? I understand that he should use the identifier I and use the provider (yahoo) only for authentication (and not for identification). It's right? Has something changed recently? To be clear, I mean that my identification should be

http://www.mysite.com/myPreferredUrl

but not

https://me.yahoo.com/myYahooId (where my site redirects authentication as described on the above website)

Side note

I ask this question also because now it seems that everything is broken (they were fine a few months ago). If I try to log in to stackoverflow, I will write the mysite.com URL, I am correctly redirected to the yahoo website where I log in, it asks me if I want to continue "stackoverflow", I say yes, it "redirects" and on the stackoverflow site I see "This is an OpenID that we have not seen before," it shows my yahoo ID, and I'm actually blocked!

Is this a mistake, or am I missing something?

PS: if you are interested in how I write this question, this is due to the fact that on one of the many machines that I use, the browser still has a valid cookie ....

EDIT: Andrew Arnott's answer below suggested a way to fix my problem (i.e. switch to a different provider). But I'm still interested in some details: what has changed from OpenID 1.1 to 2.0, about delegation? Why was it chosen in the specifications that the provider "break" the delegation? The more you explain, the more likely you are to accept your answer.

+4
source share
2 answers

I believe Andrew's answer is pretty accurate. The only thing I can add is a little about how the v2.0 specification ended the way it did, allowing the provider to refuse to work with the delegation. I think one of the motivators was the server-oriented identifier, in which the user simply supplies "yahoo.com" (or clicks the Yahoo button), and then their chosen identifier is returned from the server in response to id_res. It also allows the server to do things like suggesting an identifier to send (like Yahoo does) or sending a unique identifier for each RP (like Google does).

This also means that all the necessary information is in the id_res response, which means that the RP does not need to save state from its checkid request in order to process the response. In fact, the provider could send the id_res response directly to the RP without the RP initiating it with a checkid request checkid all.

Provider v1.x was completely unaware of when the delegation was in the evening. This project prevented the provider from even choosing not to support delegation, but also made some problems with the user interface; he will ask if you want to provide the identifier "joe.coolprovider.com" when you actually used your delegated identifier "joesmith.org".

So, here is a compromise. Delegation is still possible, so there is hope that users who really want delegation (which may be obscured by the number of users from these large sites) can choose providers that offer the features they need. (In other words, let the market handle this.)

+4
source

I do not think Yahoo supports OpenID delegation. That is, StackOverflow and other RPs can perform the discovery on your own identifier and correctly configure the delegation delegation request, but Yahoo may choose (possibly contradict the specification) to send an identity claim for its own identifier, and not for the value specified in the RP.

The specifications have not changed from OpenID 1.1 to 2.0. Specifications do not offer or approve of Yahoo! behavior, and only Yahoo can authoritatively comment on its arguments.

The StackOverflow division is still working. Yahoo broke you, it seems. I suggest you use what you bought from the delegation by changing who you delegate authentication to. For example, www.myopenid.com supports delegation. If you change your own identifier to indicate this, you can return to StackOverflow again as your old one. :)

+6
source

More articles:


All Articles