Tuesday, October 10, 2006

OpenID Sequence Nits

Two nitpicks with the protocol flow as described at OpenID Enabled (admittedly based on what I think I know and not what I really know about OpenID)

1) Step 3 is as follows:
3: Consumer associates with server (option 1) - In order to communicate securely with the server, the consumer gets an association with the server discovered in step 2, using an existing association if it is available, otherwise visiting the server and using Diffie Hellman to negotiate a shared secret with which to sign communication.
As written here, the consumer uses an existing association in order to get an association? I believe the intent of the above para is something more like
If necessary, the consumer establishes an association with the server discovered in step 2. If the consumer already has an association with the server, or is capable of dumb-mode only, it MAY skip this step.
2) Step 4 indicates
The OpenID server URL accepts a query, containing all the information the server needs to check the user's identity and redirect the user back to the consumer. The server checks the authentication of the user. If the user is signed in (has an auth cookie) and has already authorized sending their identity to the consumer, step 5 may be skipped.
and Step 5 includes
The user authenticates to the server with a cookie or a username and password, and the server asks the user for permission to send their identity information to the consumer.
Both steps refer to the user authenticating to the server and the result is confusing. I think the intent was more something like

Step 4 - user agent is redirected to server (along with information the server may need to direct the browser back to the consumer)

Step 5 - user authenticates to server, either with existing cookie or, if not present, with a password etc. At this point, the user is asked if they consent to their identity being sent to the consumer. If the user has already authorized identity being sent to the consumer, this previous consent declaration may be used.

No comments: