{"id":136,"date":"2010-08-15T19:44:54","date_gmt":"2010-08-15T18:44:54","guid":{"rendered":"https:\/\/rwec.co.uk\/blog\/?p=136"},"modified":"2010-08-15T19:44:54","modified_gmt":"2010-08-15T18:44:54","slug":"without-delegation-openid-is-all-wrong","status":"publish","type":"post","link":"https:\/\/rwec.co.uk\/blog\/2010\/08\/without-delegation-openid-is-all-wrong\/","title":{"rendered":"Without delegation, OpenID is all wrong"},"content":{"rendered":"<p>I really want to like <a href=\"http:\/\/openid.net\">OpenID<\/a>, but the more I find out about it, the more I begin to hope it fails, so that something better can emerge.<\/p>\n<p>The idea, as I originally came upon it, appealed: &#8220;you already have identities you can prove are yours, in the form of URLs &#8211; why not use them as a universal sign-on?&#8221; And obviously, the main URL I control is this one &#8211; <a href=\"https:\/\/rwec.co.uk\">https:\/\/rwec.co.uk<\/a> &#8211; and OpenID allows me to use that identity without having to run my own identity server. This is called <em>delegation<\/em>, and lets you &#8220;delegate&#8221; your own URL to another identity (that is, another URL), on a server that&#8217;s set up to do the OpenID negotiation. <\/p>\n<p>To me, <strong>delegation is the single most appealing feature of OpenID<\/strong> &#8211; if this is to be my &#8220;one identity to rule them all&#8221;, I don&#8217;t want it vulnerable to supplier lock-in, and the fact that https:\/\/rwec.co.uk is my property guarantees me continued control. But when I started looking into the details earlier, I was confused, then dismayed, at how much of a poor relation delegation has become in the OpenID world.<\/p>\n<p><!--more--><\/p>\n<p>Now, the &#8220;<a href=\"http:\/\/openid.net\/get-an-openid\/\">get an OpenID<\/a>&#8221; page boasts that lots of my existing accounts can be used as OpenID &#8211; including Yahoo!, Google, and LiveJournal. &#8220;Brilliant,&#8221;, I thought, &#8220;I&#8217;m always logged in to Yahoo!, to use Flickr, I can delegate to that.&#8221;<\/p>\n<p>So, how do you implement delegation? &#8220;It&#8217;s simple,&#8221; I&#8217;m repeatedly told, &#8220;you just add 2 link tags to your HTML head!&#8221; The <a href=\"http:\/\/openid.net\/get-an-openid\/\">get an OpenID<\/a> page gives a very brief mention of delegation, as a nice little side-line you might want to play with, and links to <a href=\"http:\/\/www.intertwingly.net\/blog\/2007\/01\/03\/OpenID-for-non-SuperUsers\">this ancient tutorial<\/a> telling you what link types you need to add. There are two problems with this blog post:<\/p>\n<ol>\n<li>An immediate unanswered question is &#8220;what do you put in the <em>value<\/em> of those 2 tags?&#8221; &#8211; one is evidently the URL you are delegating to, but the other &#8211; no clues given.<\/li>\n<li>Less obvious, but even more serious, is that the post is out of date &#8211; it describes the tags for OpenID version 1.1, but most services now implement OpenID 2.0, which uses different tags (although the values, it turns out, are much the same).<\/li>\n<\/ol>\n<p>Next, I found a nifty little site called <a href=\"http:\/\/delegatid.com\/\">Delegatid<\/a>, which lets you enter an existing OpenID, and generates the HTML for delegating to it. Perfect! Except that when I entered my LiveJournal account, it generated a seemingly invalid http-equiv=&#8221;X-XRDS-Location&#8221; header, and only the OpenID 2.0 links, even though LiveJournal supports OpenID 1.1. Not sure why, not sure who to tell.<\/p>\n<p>But here&#8217;s the real kicker, <strong>if I delegate to my Yahoo! ID, it doesn&#8217;t actually delegate<\/strong> &#8211; the headers work fine, I authenticate myself with Yahoo!, and then I&#8217;m logged into the site I&#8217;m trying to access (the &#8220;Relying Party&#8221; in the jargon). But <strong>I&#8217;m logged in with my Yahoo! ID, not my nice, permanent, lock-in proof URL<\/strong>. It turns out that <a href=\"http:\/\/stackoverflow.com\/questions\/826014\/how-does-openid-delegation-work-on-the-relying-party-have-the-specs-changed-rece#answer-889803\">in OpenID 2.0, Providers don&#8217;t have to support delegation<\/a> &#8211; they accept the request, but return the ID they have for you, and the delegation acts as nothing more than a URL forwarding system. This is all tied up with the handy way you can enter &#8220;yahoo.com&#8221; in an OpenID login box, and it will authenticate you &#8211; obviously, you&#8217;re not claiming to <em>own<\/em> yahoo.com, just that they can negotiate an ID for you.<\/p>\n<p>So it turns out that both my Yahoo! and Google IDs support OpenID 2.0 only (sorry, early adopters, no logins for you!), and don&#8217;t support delegation; I have to sign up for an account with a random OpenID provider. Of which there are, um, lots, around &#8211; I can&#8217;t find any kind of matrix with even such basic details as &#8220;supports OpenID 1.1, supports OpenID 2.0, supports delegation&#8221;; there&#8217;s an <a href=\"http:\/\/openiddirectory.com\/\">OpenID Directory<\/a>, but it feels more like an <abbr title=\"Search Engine Optimisation\">SEO<\/abbr> exercise than an actual resource to help me choose. The <a href=\"http:\/\/spreadopenid.org\/provider-comparison\/\">Spread OpenID Provider Comparison<\/a> would be promising, but it was <a href=\"http:\/\/spreadopenid.org\/2010\/01\/goodbye\/\">formally abandoned in January<\/a>. Nor will the Delegatid tool give me any warning that the delegation I&#8217;m setting up is no more use than a 302 redirect &#8211; I guess the auto-discovery protocol doesn&#8217;t handle this either.<\/p>\n<p>And of course, I won&#8217;t be able to use it <em>instead of<\/em> my Google account, or my Yahoo! account &#8211; they don&#8217;t accept OpenID, they just provide it, with no delegation, so for them it&#8217;s just another way of taking over your online life. No thanks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I really want to like OpenID, but the more I find out about it, the more I begin to hope it fails, so that something better can emerge. The idea, as I originally came upon it, appealed: &#8220;you already have identities you can prove are yours, in the form of URLs &#8211; why not use [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[101,104,103,100,102,105],"class_list":["post-136","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-delegation","tag-identity","tag-login","tag-openid","tag-sso","tag-supplier-lock-in","post-preview"],"_links":{"self":[{"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=136"}],"version-history":[{"count":6,"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/136\/revisions"}],"predecessor-version":[{"id":142,"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/136\/revisions\/142"}],"wp:attachment":[{"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rwec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}