"IDP-First" scenario possible with OpenID?
62 views
Skip to first unread message
Seldor
Oct 25, 2011, 11:15:43 AM10/25/11
to OpenID4Java
Hi
I'm pretty new to OpenID, so please bear with me.
What I've understood so far is that the user user usually tries to
access a RP without any session.
Now the RP displays an input field for the OpenID the user has to
enter.
Would it be feasible to have a scenario where every RP just relies on
one Identity Provider so it doesn't have to display an input field but
send the user directly to the Identity Provider, without the
openid.identity parameter?
So that the IdP has to login the user and send him back?
Would this be a supported scenario for OpenID/openid4java ?
I could not try this out yet as I haven't gotten beyond the simple-
openid example yet and have yet to understand the whole process fully.
Thank you very much
Seldor
I'm pretty new to OpenID, so please bear with me.
What I've understood so far is that the user user usually tries to
access a RP without any session.
Now the RP displays an input field for the OpenID the user has to
enter.
Would it be feasible to have a scenario where every RP just relies on
one Identity Provider so it doesn't have to display an input field but
send the user directly to the Identity Provider, without the
openid.identity parameter?
So that the IdP has to login the user and send him back?
Would this be a supported scenario for OpenID/openid4java ?
I could not try this out yet as I haven't gotten beyond the simple-
openid example yet and have yet to understand the whole process fully.
Thank you very much
Seldor
Steve Weis
Oct 25, 2011, 1:40:36 PM10/25/11
to openi...@googlegroups.com
Yes, you can have the user select from among a list of identity providers. This is how sites like Stackoverflow are using OpenID: http://stackoverflow.com/users/login . If the user clicks, say, Google, it will redirect to Google, where the user will authorize the login to the relying party. The user never has to type in an identifier or endpoint URL.
Here's a blog post by Will Norris on the subject:
I think most OpenID users today don't even know they are using OpenID. They log in by clicking a button then clicking "Ok" on their provider.
Seldor
Oct 25, 2011, 4:51:13 PM10/25/11
to OpenID4Java
Hi Steve
Thanks a lot, that clears things up quite a bit.
Just one other question would be, is it also possible to support kind
of a 'Idp first' scenario? Like the user first accesses, say, google,
authenticates there and is then directly sent to stackoverflow without
him been there before? As far as I see, in the stackoverflow login you
mentioned, there's some session state generated first to probably
match the response when it comes back later. Is it also possible to
have an 'unsolicited login'?
A use case would be a portal (say at google) showing the relying
parties available (or my favourites or whatever) and then google just
creates the ticket and sends me to stackoverflow directly, without any
added pingpong?
Thanks a lot
Seldor
On Oct 25, 7:40 pm, Steve Weis <stevew...@gmail.com> wrote:
> Yes, you can have the user select from among a list of identity providers.
> This is how sites like Stackoverflow are using OpenID:http://stackoverflow.com/users/login. If the user clicks, say, Google, it
Thanks a lot, that clears things up quite a bit.
Just one other question would be, is it also possible to support kind
of a 'Idp first' scenario? Like the user first accesses, say, google,
authenticates there and is then directly sent to stackoverflow without
him been there before? As far as I see, in the stackoverflow login you
mentioned, there's some session state generated first to probably
match the response when it comes back later. Is it also possible to
have an 'unsolicited login'?
A use case would be a portal (say at google) showing the relying
parties available (or my favourites or whatever) and then google just
creates the ticket and sends me to stackoverflow directly, without any
added pingpong?
Thanks a lot
Seldor
On Oct 25, 7:40 pm, Steve Weis <stevew...@gmail.com> wrote:
> Yes, you can have the user select from among a list of identity providers.
Steve Weis
Oct 25, 2011, 5:21:47 PM10/25/11
to openi...@googlegroups.com
You can automatically kick off a login from the relying party with no user interaction. There are a couple options here. If you use "checkid_setup" mode, the IDP may prompt the user to login. In "checkid_immediate" mode, the IDP should return a success or failure with no user interaction based on whether the user is logged into the IDP and whatever policies the IDP enforces.
However, I don't think the case of the IDP "showing the relying parties available" will work. The RP needs to initiate the login. As far as I know, there's not a way for IDPs to initiate logins to RPs without the RP expecting it.
--
You received this message because you are subscribed to the Google Groups "OpenID4Java" group.
To post to this group, send email to openi...@googlegroups.com.
To unsubscribe from this group, send email to openid4java...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/openid4java?hl=en.
Johnny Bufu
Oct 25, 2011, 6:23:11 PM10/25/11
to openi...@googlegroups.com, Steve Weis
On 11-10-25 02:21 PM, Steve Weis wrote:
> However, I don't think the case of the IDP "showing the relying parties
> available" will work. The RP needs to initiate the login. As far as I
> know, there's not a way for IDPs to initiate logins to RPs without the
> RP expecting it.
> However, I don't think the case of the IDP "showing the relying parties
> available" will work. The RP needs to initiate the login. As far as I
> know, there's not a way for IDPs to initiate logins to RPs without the
> RP expecting it.
Unsolicited responses are supported in OpenID2, an RP can successfully
validate a positive assertion initiated from the OP/IdP by simply
following the protocol.
See section 10 Responding to Authentication Requests
http://openid.net/specs/openid-authentication-2_0.html#responding_to_authentication
Johnny
Steve Weis
Oct 25, 2011, 6:39:13 PM10/25/11
to Johnny Bufu, openi...@googlegroups.com
Ah, that makes sense. Good to learn that.
Seldor
Oct 26, 2011, 2:37:50 AM10/26/11
to OpenID4Java
Hi Johnny
Thanks for your reply, that sounds very promising for our use case.
However I'm having trouble getting this to work with openid4java...
In the simple-openid setup, I took a login request from the SP
containing the nonce etc and just removed that so that the entire URL
would also be creatable by the IDP:
http://localhost:8080/simple-openid/provider.jsp?openid.identity=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fuser.jsp&openid.return_to=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp%3F&openid.trust_root=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp&openid.assoc_handle=1319553784609-0&openid.mode=checkid_setup
However, when redirected to the RP, I see in the log:
Null consumer nonce signature.
Nonce verification failed.
Could anyone confirm if this scenario is supported in OpenID4Java and
if yes, what I'm doing wrong?
Thanks
Seldor
> http://openid.net/specs/openid-authentication-2_0.html#responding_to_...
Thanks for your reply, that sounds very promising for our use case.
However I'm having trouble getting this to work with openid4java...
In the simple-openid setup, I took a login request from the SP
containing the nonce etc and just removed that so that the entire URL
would also be creatable by the IDP:
http://localhost:8080/simple-openid/provider.jsp?openid.identity=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fuser.jsp&openid.return_to=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp%3F&openid.trust_root=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp&openid.assoc_handle=1319553784609-0&openid.mode=checkid_setup
However, when redirected to the RP, I see in the log:
Null consumer nonce signature.
Nonce verification failed.
Could anyone confirm if this scenario is supported in OpenID4Java and
if yes, what I'm doing wrong?
Thanks
Seldor
Johnny Bufu
Oct 26, 2011, 3:39:46 AM10/26/11
to openi...@googlegroups.com, Seldor
On 11-10-25 11:37 PM, Seldor wrote:
> Hi Johnny
>
> Thanks for your reply, that sounds very promising for our use case.
> However I'm having trouble getting this to work with openid4java...
> In the simple-openid setup, I took a login request from the SP
> containing the nonce etc and just removed that so that the entire URL
> would also be creatable by the IDP:
> http://localhost:8080/simple-openid/provider.jsp?openid.identity=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fuser.jsp&openid.return_to=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp%3F&openid.trust_root=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp&openid.assoc_handle=1319553784609-0&openid.mode=checkid_setup
>
> However, when redirected to the RP, I see in the log:
> Null consumer nonce signature.
> Nonce verification failed.
>
> Could anyone confirm if this scenario is supported in OpenID4Java and
> if yes, what I'm doing wrong?
> Hi Johnny
>
> Thanks for your reply, that sounds very promising for our use case.
> However I'm having trouble getting this to work with openid4java...
> In the simple-openid setup, I took a login request from the SP
> containing the nonce etc and just removed that so that the entire URL
> would also be creatable by the IDP:
> http://localhost:8080/simple-openid/provider.jsp?openid.identity=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fuser.jsp&openid.return_to=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp%3F&openid.trust_root=http%3A%2F%2Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp&openid.assoc_handle=1319553784609-0&openid.mode=checkid_setup
>
> However, when redirected to the RP, I see in the log:
> Null consumer nonce signature.
> Nonce verification failed.
>
> Could anyone confirm if this scenario is supported in OpenID4Java and
> if yes, what I'm doing wrong?
The core library supports verification of unsolicited responses.
The sample deployment simple-openid may not.
Note that response_nonce is a required parameter in an OpenID 2.0
positive response, removing it invalidates the response. Your OP/IdP
should generate it.
Johnny
Reply all
Reply to author
Forward
0 new messages