OpenID best implementation practices?

Carl Howells chowells at janrain.com
Thu Dec 29 18:52:07 UTC 2005


Johannes Ernst wrote:
> 1) is there a "best practice" that OpenID implementations should  follow 
> in order to avoid replay attacks? I suspect the trick is to  create a 
> Relying Party (aka return_to) URL that contains a nonce, and  track the 
> uses of that nonce?
> 
> E.g. if the Relying Party is
>     http://rp.example.com
> use
>    http://rp.example.com?my-nonce=<random-number>
> as the return_to URL in the forward leg of the authentication, and  
> check the my-nonce parameter on the return leg for whether or not it  
> was taken already?

That's essentially what I believe to be the best approach, though there 
is additional flexibility possible.  Our OpenID library provides the 
relying party with a token (containing the nonce and some additional 
information) that it is responsible for associating with the request in 
whatever manner is most appropriate for its application.

Many applications have the concept of a session, even for 
non-authenticated users, which is a good spot to store the token.  Other 
applications may choose to store the token in a cookie, or make it part 
of the return_to URL for that request.

But in any case, the idea is the same:  store a nonce somewhere, and 
verify that it hasn't been used when a response comes back that tries to 
use it.

> Does that mean we could use the same mechanism that we are using in  
> LID, or is a different approach more appropriate for OpenID?

The biggest difference is that LID's approach is specified by the 
protocol, but OpenID's is left to implementations.  That means that the 
one-way nonce idea won't work with the current version of OpenID, as it 
requires both the server and the relying party to use the same mechanism.

> 2) is there a "best practice" for single sign-OUT (not -IN). It is  
> relatively straightforward to keep track of all the Relying Parties  at 
> which I have authenticated during the current session, but other  than 
> visiting each of them manually and looking for the OpenID Logout  button 
> on each of them, can I automate this from one big button "log  out 
> everywhere"?

That's currently not possible.  See the discussion in part of this old 
thread: http://lists.danga.com/pipermail/yadis/2005-July/001060.html

> 3) Is the threat model against OpenID documented somewhere? I'm  missing 
> the rationale for some of the URL arguments, such as why  
> openid.return_to is returned on the back leg of the authentication  
> redirects, or why some of fields should or should not be signed.

I don't think there's any one document that contains everything.  I'd 
recommend looking at mailing list archives, especially for messages from 
Paul Crowley, and the ones he responded to.

> Of course, everybody might be on vacation ...

Not everybody. :)


Carl Howells


More information about the yadis mailing list