0

This is really a follow-up question to this one, for which only Stack Exchange specific answers were provided.

I set up delegation of authentication to Google, based on this SO answer, specifically because I wanted to be able to swap out authentication providers without having to go to all the individual sites that use the custom URI as the user identifier and fix them up. Stack Overflow/Exchange is one of the few sites that has the notion that an SO/SE user might have multiple identities, others simply don't. Logging in using a different OpenID is to them as if I was logging in as someone completely different - a new account; migration to a new ID or linking multiple IDs to the same account is not always possible.

I didn't want to be trapped in the position where the authentication provider decides to stop providing that service, essentially orphaning any accounts I created using that ID on other websites. I also didn't want to incur the maintenance burden of running my own authentication service just for me. Delegation allowed me to preserve my apparent identity (my custom URI that serves up a page with links to delegate authentication to another provider), without tying me to that provider. At any point I could swap out Google for another provider, but the URI I'd give to the other websites would remain the same.

The answer provided in the other question basically says to add a Google ID to the Stack Exchange account and be done with it, but that avoids the core issue here. If I change authentication providers to another which does support OpenID 2.0, I have no guarantee they won't drop it at some point down the line. I could find an open source authentication OpenID 2.0 provider and host it locally on the same server that my custom OpenID URI lives on, but I'm worried that will become untenable, if OpenID 2.0 is being killed off because it's not useful/secure. I assume there's a good reason why OpenID 2.0 is being deprecated, and I don't want to be sticking with it when it should be killed.

My question is: is this sort of delegation still possible with OpenID Connect, and if so, how? If it's not possible with OpenID Connect, are there other options that will continue to be supported in the future?

Community
  • 1
  • 1
MrCranky
  • 1,498
  • 24
  • 32

1 Answers1

1

OpenID Connect does not support delegation as in OpenID 2.0, meaning it won't give you a persistent identifier for which you can delegate authentication to a configurable Provider of your choice.

There are other options that mostly depend on the Relying Party: the RP could implement the account management in such a way that the primary identifier is not based on any specific login mechanism. That does not only open up the possibility to associate a different OpenID Connect provider with an account, but would also allow for configuring multiple 3rd-party authentication providers (or authentication methods) at the same time.

This is what SO does and most RPs have adopted this model rather than the single external identifier model which has contributed to the slow adoption of OpenID 2.0 delegation. Of course the downside of that approach is that you will have to go in to each of these accounts to modify the association, using a password or an account recovery process if the provider is out of business already.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • 1
    Thanks for the clarification. From that though it sounds like the only way to retain control of my identity (i.e. not putting it into the hands of a third party provider) is to maintain my own domain and host OpenID Connect software on it to handle authorising / authenticating as "me". – MrCranky Feb 17 '15 at 14:44
  • which should not be too difficult btw.; there are even hooks in the specification that allow for so-called self-issued OPs: http://openid.net/specs/openid-connect-core-1_0.html#SelfIssued – Hans Z. Feb 17 '15 at 15:28