Reputation: 46940
Is the OpenID Connect webfinger endpoint a map of user account to OpenID Connect providers?
In this question the example answer starts with:
Suppose Carol wishes to authenticate with a web site she visits using OpenID Connect. She would provide the web site with her OpenID Connect identifier, say [email protected]. The visited web site would perform a WebFinger query looking for the OpenID Connect provider.
So it sounds like example.com does not yet know which OpenID connect provider can authenticate Carol? It has to use Carol's email address as a lookup key to find out which OpenID Connect providers can authenticate her?
A lot of sites have Authenticate with Github or Authenticate with Google, but in this case it looks like the sites just figures out the authentication provider based on the email address of the person who wishes to authenticate. So instead of the person selecting the authentication provider, the site asks for the email address, and then figures out which authentication provider the user can use. So the sequence is something like:
- 1) User enters email address (Or userid)
- 2) Server looks up authentication providers using the email address / userid
3) Server displays a list of authentication providers that the user can select from
Did I understand this correctly?
Upvotes: 3
Views: 882
Answers (2)
Reputation: 10986
OpenID Provider Issuer Discovery is an OPTIONAL discovery service Relying Party knows the OP's Issuer location through an out-of-band mechanism. Or use webfinger which requires the Website to be provided
resource = Identifier for the target End-User that is the subject of the discovery request.
host = Server where a WebFinger service is hosted.
rel = URI identifying the type of service whose location is being requested.
IMHO, the example from RFC 7033 supplied is misleading. Determining the issuer from and "[email protected]" is not well implemented by many of the providers. (At least what I could find)
I tried a few email addresses and could only get on to send a response. (Further the example shows a simple http get and yet the OpenID Connect Discovery requires https)
I did get "[email protected]" to send a response. (See https://indieweb.org/WebFinger where Will Norris contributes)
I am also of the using OpenID Connect webfinger discovery which is convenient is also a security concern.
I was able to do some discovery on an [email protected] based on an entry dated 2010 but is was not as simple as a webfinger query as described in the example.
Perhaps some others will respond.
Generally the website must register (a Client ID), this may be performed dynamically, with each the OpenID connect provider they wish to work with.
Upvotes: 1
Reputation: 62506
So it sounds like example.com does not yet know which OpenID connect provider can authenticate Carol?
You are right. It's the role of the WebFinger protocol to determine the OpenID connect provider associated to the OpenID Connect identifier.
When a site shows "Authenticate with Github", it has its OpenID connect provider hardcoded (Github) and does not implement WebFinger.
Upvotes: 2
Related Questions
- How does OpenID Connect deal with service chains?
- How does an OpenID Provider authenticates an end-user?
- How does OpenID Connect work?
- Open Identity and OAuth
- User mapping in OpenID Connect Relying Party
- How to use the OpenID Connect WebFinger Endpoint?
- Does OpenID Connect standardize the OAuth 2 Authorization Endpoint?
- Do all OpenID Connect Providers implement uniformly?
- Discover OpenID Connect Provider Issuer
- OpenID endpoints