Improving OpenID Delegation

When I authenticate using my delegated OpenID I’m actually proving I own two different URIs. I own http://steven.bitsetters.com which I’m delegating from and I own (or at least have some control over) http://steven.myvidoop.com. So a RP can easily associate both endpoints with my account. The problem comes when I decide to change the endpoint I’m delegating from. Let’s say I get tired of WordPress (I know it’s a stretch) and decide to use Blogger instead. Now I want to delegate using http://steve918.blogger.com. Currently this would require me to login to every site I previously signed into as steven.bitsetters.com and add steve918.blogger.com as an associated URL. (Assuming the RP even supports associating more than one OpenID per account. ) The thing is, this process of explicitly adding my new delegated OpenID leads to an extremely high cost of switching that is not necessary.

As I mentioned in my previous post, delegation is an important part of the OpenID ecosystem, but it needs to be manageable for muggles. If reliers could make this association for me, I’m free to bounce from one social networking site to the next and use what ever delegated ID I feel contains my social graph and most useful profile information at that time. Having this free switching economy also makes it much more appealing for all the sites I mentioned previously to provide delegation services.

The only scenario this seems to affect is someone who is using a single endpoint, but delegating through it with multiple identities. Basically people masquerading different profiles through the same IdP account. In this case I think it’s up to the RP to allow the user to decide which OpenID they wish to make public (if any) on that site.

The real problem in this scheme is that all the extra work falls on the RPs and realistically I don’t think many of them will go above and beyond hacking in the bits that are provided to them via easily available OpenID libraries. So as a community maybe we can extend the libraries to include support for easily storing and managing endpoints. I’m honestly not even sure how realistic this is, but I think doing so could make it easier for RPs to check all the boxes on the best practices checklist.

Advertisements