On 12/12/2015 09:49, Randall Leeds wrote:
> And yet, OAuth2 and OpenID Connected have received adoption and the flow is
> not dissimilar.
> I think this is more a case of a crowded space - where crowd means more
> than one solution - than that there are not willing identity providers.
> I still believe there is a reformulation of Persona wherein the assertion
> and certificate concatenation is embedded as a chain in a JWT. Persona is
> practically isomorphic to OIDC, as I read them.
We just got through an initial round of adding OIDC support to Firefox
Accounts, so I wanted to add a quick comment on two important ways that
it differs from Persona:
1) Authority delegation
Both OIDC and Persona generate "identity assertions" that can be
verified by the relier, but in OIDC the assertion must come directly
from the Identity Provider. Persona's assertions allow the IdP to
delegate assertion-generating authority to the browser (or the fallback
shim) rather than generating them directly.
2) Client registration
OIDC requires each relying website to register with each identity
provider, in order to establish e.g. the shared secret necessary to
complete a redirect-based OAuth flow. This is more-or-less required in
some form given (1), since the IdP and to deliver the assertion directly
to the relier.
OIDC does have a protocol for "dynamic client registration" but it
doesn't appear to be widely used in practice. Instead reliers must
register out-of-band with each IdP.
Taken together, the result is that your OpenID Connect IdP learns about
every relier to which you log in.
One of Persona's core design constraints was to provide privacy against
this sort of tracking. Unfortunately, in its current form Persona
relies on a centralized verifier service that that *does* learn such
information, and learns it regardless of your choice of IdP.
Perhaps OIDC could be extended to provide similar protections at some
point in the future? It would be an interesting design challenge.