Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does OpenID delegation work on the Relying Party? Have the specs changed recently?

Consider this scenario. I have my own website, that I use as my identifier, but I use a third-party OpenID provider (in my case yahoo), as described here, to login on Relying Party (RP) websites such stackoverflow and sourceforge.

It seemed to be a wise move:

  • I am not locked in with an OpenID provider, since if/when yahoo will not offer the service anymore, or will start to charge for it, or I will not trust them anymore, I can switch provider painlessly
  • I don't have the economic, administrative and security burden of installing and maintaining an OpenID provider on my server

Question

How is the RP supposed to work? My understanding is that it should use the identifier I provide, and use the provider (yahoo) only for authentication (and not for identification). Is that correct? Did something change recently? Just to be clear, I mean that my identification should be

http://www.mysite.com/myPreferredUrl

and not

https://me.yahoo.com/myYahooId (which is where my website "redirect" the authentication as described in the above website)

Side note

I'm asking this question also because things seems to be broken right now (they were ok few months ago). If I try to login on stackoverflow, I write the mysite.com URL, I am correctly "redirected" to the yahoo website, on which I log in, it asks me if I'd like to "continue on stackoverflow", I say yes, it "redirects" and on the stackoverflow site I see "This is an OpenID we haven't seen before", it shows my yahoo ID and I'm actually locked out!

Is it a bug, or am I missing something?

PS: if you are wondering how I'm writing this question, this is because on one of the many machines I use, a browser still has a valid cookie....

EDIT: Andrew Arnott's answer below suggested a way to fix my problem (i.e. switching to a different provider). But I'm still interested in some details: what has changed from OpenID 1.1 to 2.0, about delegation? Why in the specs it has been choosen to let the provider "break" the delegation? The more you explain, the better the chances to have your answer accepted.

like image 870
Davide Avatar asked Dec 31 '22 00:12

Davide


1 Answers

I don't think Yahoo supports OpenID delegation. That is, StackOverflow and other RPs may perform discovery on your own identifier and set up the delegation auth request correctly, but Yahoo might be choosing (arguably contrary to the spec) to send an identity assertion for their own identifier rather than the one given by the RP.

The specs haven't changed from OpenID 1.1 to 2.0. The specs do not suggest or endorse Yahoo!'s behavior, and only Yahoo can authoritatively comment on their reasoning.

StackOverflow delegation still works. Yahoo broke you, it seems. I suggest you leverage what the delegation bought you by changing who you delegate authentication to. www.myopenid.com for example supports delegation. If you change your own identifier to point to that, you should be able to get back into StackOverflow as your old self again. :)

like image 169
Andrew Arnott Avatar answered Apr 09 '23 11:04

Andrew Arnott