Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

[Dirk Balfanz]

I don't want to put parameters into the protocol that aren't necessary.
So far, I've heard one argument for adding the consumer key in the
association request: to give a hint to the authorization UI as to whether or
not the consumer is authorized to request the scope passed in the
openid.oauth.scope parameter. The idea is, as far as I can tell, to encode
the consumer key into the association handle, and thus have the consumer key
available at authorization time.

I'm saying "hint", because it is nothing more than that - neither the
association request nor the auth request are signed, and the consumer can
put whatever they want into the consumer key (in the association request) or
association handle (in the auth request). Which is fine, since an attacker
lying about these things won't be able to exchange the request token for an
access token later.

So, again, the proposal seems to be to embed a hint to the consumer key into
the association request (which will then be threaded through the association
handle into the auth request). This doesn't buy us any additional security,
it just hints at what scope the consumer is allowed to request (for those
SPs that encode scope in consumer keys) - the security is provided later in
the access token request step.

Now, my argument is that we already _have_ a place to signal scope. It's the
openid.oauth.scope parameter. If you don't want to put consumer keys there,
let consumers put some other encoding of the scope there. If you're an OP
where scope isn't really decided at authorization time (but later, when we
know the real consumer key of the consumer), then this will just be a hint
for you to get the UI right. But that's no different from putting the
consumer key into the association request - that's only a hint, too.

So we get the same guarantees with less parameters if we stick with the
proposal.

Right? :-)

Dirk.



On Thu, Nov 13, 2008 at 8:32 PM, Breno de Medeiros <[EMAIL PROTECTED]> wrote:

> I changed my mind on this one.
>
> A. The fact that scopes are not standardized in OAuth today does not
> mean that in the future *some* scopes (e.g., related to portable
> contacts) may be standardized.
>
> B. The consumer key is an intrinsic identifier of the party requesting
> association and probably should be included, with the realm, in the
> association request (if available).
>
> There is no need, however, to include any additional information in
> the authentication request. The consumer key can be bound to the
> association handle.
>
>
> On Thu, Nov 13, 2008 at 6:43 PM, Allen Tom <[EMAIL PROTECTED]> wrote:
> > In the future, we might update our OAuth service to allow developers to
> pass
> > us the scope dynamically, rather than binding the scope to the CK.
> However,
> > we'd still probably require developers to agree to a TOS in order to get
> a
> > CK/CS.
> >
> > I'm concerned about having to tell developers to pass the CK via the
> scope
> > parameter for the first revision, and then later telling them that scope
> > parameter actually means the scope. I'd like to have one parameter
> (possibly
> > optional) that means CK, and another parameter (also optional) that means
> > Scope. Overloading a single parameter can get really messy in the long
> run.
> >
> > Allen
> >
> >
> >
> >
> >
> >
> >
> > Breno de Medeiros wrote:
> >>
> >> Ok, but what is wrong for you to instruct the developers to insert the
> >> consumer_key in the scope parameter, and they bind it to the approved
> >> request token?
> >>
> >
> >
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

non-standard login mechanism

[SignpostMarv Martin]

Just polling for feedback on a bit of a non-standard login mechanism 
I've implemented on my site(s).


1) a user logs into Second Life, and clicks a kiosk to get a nonced URL.
2) the user gets a fairly standard OpenID form, submitting their OpenID 
(I'm using the Zend libraries, btw)
3) once successfully logged in via OpenID, the endpoint and avatar UUID 
are recorded in a db table
* after this point, the OpenID url will never be entered again (unless 
the user wishes to change their OpenID, or perhaps for circumstances 
where an additional security/paranoia requirement is desired)
4) the user visit a SLOpenID v3-enabled website, entering their Second 
Life avatar name
5) the code checks if the name is valid, on file, and if it has an 
OpenID associated
6) the code then automagically submits the OpenID that is on file to the 
Zend libs (as opposed to accepting a POST or GET value)


Do note that Linden Lab don't (currently) have an OpenID provider, and 
since I retired SLOpenID v2, I don't believe there are any that cater 
solely to Second Life Residents- though there isn't really much point in 
it any more, considering flickr, live journal and blogger all act as 
providers (all of which are used by Second Life Residents to varying 
degrees).


The purpose of only using the Second Life name is three-fold:

1) Residents are familiar with entering their SL name (in either 
first/last format or a single string) in several places throughout 
Linden Lab's presence (viewer, websites)
2) To strive for a possible standardisation across SL-centric websites, 
increasing people's awareness of possible phishing attacks (see footnote)
3) To strive for a possible learned behaviour of passwordless, 
transparent OpenID logins in Second Life viewers (OpenID is mentioned as 
a possibility for OGP logins)


So my question is this: Is using OpenID without the user entering the 
actual OpenID url breaking the spec ?


~ Marv.


*phishing footnote
If there are no passwords entered on a SLOpenID v3-enabled website, 
there is no risk of the maintainer of said site being accused of 
manipulating users so that they can collect the actual Second Life 
passwords. If the SLOpenID v3 method were to become commonplace amongst 
SL-centric websites, otherwise-uninformed users (e.g. those that use 
SL-centric services) would be immediately less trusting of phishing 
sites that specifically target SL users (e.g. OH HAI! U CAN HAS FREE L$ 
IF U ENTER UR PASSWORDS! KTHXBAI MUAHAHAHA)


p.s. this email has been BCC'd to the OpenID mailing list and LL peeps, 
just in case you're wondering why the text of the email is rather verbose.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs