oauth 2.0 scope is the new black

David's openid connect proposal uses oauth2.0 to get an access token to access the user's info API.
Openid connect does not define a new flow for oauth but uses a scope with value "openid" to signify that this kind of access token is requested.

What I am missing here is that there is no way for the client to specify which of the user's information it wants to access. The users might choose to release only a subset of their information at oauth-approval-time but they have no way to know what the client is requesting. I fear that the authorization server suggests to give away all user data and that the user will grant that access.

A quote from the openid connect proposal: "The (user info) server is free to add additional data to this response (such as Portable Contacts) so long as they do not change the reserved OpenID Connect keys."

This is the Facebook notion of privacy to give everything away by default.
I don't like that.

Even if the client does not want the data it now has access to it.

I am intentionally not suggesting a different proposal or new values for scope. But what I am thinking about here is probably obvious given the background I am coming from.

XAuth is Evil

Google and Meebo got it so wrong! Meebo with support by Google published a javascript xauth.js that tells a website which social networks the user is a member of. Information is stored on xauth.org and in local storage what my social networks are.

This is so wrong that it hurts. Sites should publish which social networks they support and the user should then choose which ONE they would like to use at THIS site at THIS time.
The xauth scheme just transports too much data to a central site too often.

Google should use its money and power to put this ability into the browser!
Start with Chrome and Mozilla (https://mozillalabs.com/conceptseries/identity/social-agent/). Yes, Google already supports Mozilla in this project but xauth is evil.

XAuth is not even acceptable as an intermediate "solution" before Identity in the browser is ready. Wrong, wrong, wrong.

I admit that website operators prefer it this way round and the collected data at the central server is definitely interesting and valuable. I think Google with good reason does not store that data on a Google server or do they? Who has access to that data? XAuth is not as bad as Microsoft Passport but not much better.
I fear that the user and privacy advocates are not strong enough to create "Identity in the browser"...

Don't do evil.

SHA256 et al in openinfocard

I just added support for RSA-SHA256 etc to openinfocard's signature validation.
This came up during the RSA conference' OASIS IMI interop. The cards issued by ADFS2 are signed using RSA-SHA256. The team from the Government of British Columbia suggested to configure ADFS2 to use SHA1 for card signing but this way is better. Openinfocard is now more flexible in regard to signing algorithms. I added all DSA and RSA algorithms from http://www.w3.org/TR/2010/WD-xmlsec-algorithms-20100316/

Enjoy.

Firefox Personas and openinfocard

If you have personalized your Firefox with Personas then your openinfocard selector window now shows the same background image.


Which is nice and a security feature too. A malicious website could try to create a window that looks like your favorite openinfocard selector but the website does not know how you personalized your browser. So if your card selector window does not show the same background image as your browser then something is phishy!

Get the current (xmldap-0.9.9.201002251149.xpi) version of openinfocard now!

Did I say that openinfocard runs on MacOS Snowleopard too?

Cardspace Support for Firefox

During the last week I released new versions of the Mozilla Firefox addon that adds Cardspace support to the browser.

One feature that was reenabled was the ability to get the "value" of the object element using javascript. The value is the security token and thus requesting the value starts the selector. This "feature" was lost in the past and was quite easy to reactivate.

Another change that envolved code changes in many places was the elemination of global variables. Which is a good thing. All global variables were moved into a new namespace org.openinfocard.cs4ff. I hope that this change gets this addon out of the sandbox and it will become an addon that can be installed without the "let me install this" checkbox.

To bad that the Information Card addons are not compatible with each other. You have to make your choice whether you install DigitalMe, Openinfocard, Azigo's selector or Cardspace4Firefox. Or other addons based on the same code base.
Which on the other hand is no problem in the real world. Users will pick their selector and install just one.

Avoco RealPay etc

In case you have not done so please have a look at Avoco's Information Card work.

One of their demo sites is a site called RealPay. Here you see the current openinfocard selector at work:





But the above is only the "normal" Information Card scenario.
Much more interesting are their "cloud selector" and their Cardspace based document signing product. The latter can sign Microsoft Office documents and PDFs and if you try to open that document you have to present a valid security token based on an Information Card which might be restricting your access even to your current location. Nice.
Read more here.

selector progress

I am making good progress with the selector that supports Information Cards and OpenID (Cards). Maybe it will support username/password too.

Please notice the purple-i in the urlbar left of the site identity icon. Clicking it starts the selector which lets you login using your e.g. OpenID (Card). It "works" with the xmldap.org test page and it nearly works with Andrew Anortt's http://test-id.org/XP/Selector.aspx page. Markus Sabadello's testpage https://openidpad.com/ needs a little more work. The next step is to remember the cards used and display that/them in the urlbar.

I would like to mention that "login" or "connect" (to a site) is not enough. I think that attributes or claims are more important than login.

Sometime not too far in the future we should agree on a standard for this. I prefer the XRDS way to conway the RP's requirements to the selector and we can inline it into the HTML code if a download of the XRDS is not desirable...

New Version of "Cardspace for Firefox" addon

Well, this took quite some time.

Several people reported that there were issues with the IdentitySelector from the Codeplex repository (sometimes called Cardspace for Firefox) on Windows Vista while Windows XP worked. But now, finally, I was able to build a new version on Windows 7 using the Mozilla build system as described here. I tested it with Firefox 3.5.5 and it seems to do what is expected. Although I did not test it on Vista. Please report issues by using the Codeplex issue tracker.

Following are some screen shots from my tests:





The Cardspace version used was 3.0.0.0 as it come with Windows 7.

There is still much work to do like bringing this addon's code to the same maturity of the openinfocard selector.
And keeping it there e.g. by improving the XRDS support.

Later support the OpenID Selector...
And integrate with the work at Mozilla Labs like the "AccountManager"...
Not to forget the design work in the Kantara Universal Login Experience working group...

New Version Openinfocard

I just uploaded a new version of the openinfocard selector to Google code here.

I changed code that limited self-issued cards to the "well-known" claims. Now I only need to add UI-code to enable the user to specify arbitrary URLs as claim-uris.
This change forced me to change the internal cardstore format for self-issued cards. The related XML now is more similar to the RoamingStore-format for Information Cards. This is good, but existing cards stop to work. Users of the new version have to delete and recreate their self-issued cards. Sorry, although I promise that this will be not the last time ;-) for this kind of changes. I want the internal cardstore format to be exactly like the RoamingStore format (plus legal openinfocard enhancements).

Other changes: - A small change that improves statusbar Information Card icon clicks when an object tag is in the page but no XRDS. This need more work.
- The sidebar code is leaner. This needs more work too, so that only matching cards are displayed and the sidebar window gets updated when the main window changes.
- The preferences javascript code is now in a separate file. I moved it from the XUL page. This seems to make the XBL that implements the preferences page happier.

I am glad that I found some hours to work on my hobby.

Happy Birthday Kim! Elusive Privacy Reloaded

That elusive privacy

iPhone Selector @ xmldap.org

The Higgins Project, namely Markus Sabadello, created an Information Card Selector that runs on the iPhone. Due to Apple's benevolent dictatorship which prevents extensions to the iPhone's webbrowser this selector uses a custom URL-scheme to launch the selector from a web page. Details can be found here.

I adapted the xmldap relying party to output the new URL-scheme when the user-agent contains "iPhone" or "iPod".

Here are some screenshots that Markus provided:





Integrating this into the openinfocard selector is a task for this evening.

Firefox 3.5 Release Candidate is ready

Firefox 3.5 Release Candidate is ready. If you don't have the latest and greatest browser please download it here and then the openinfocard selector of course.

Developer Garden IP Location STS

Deutsche Telekom launched its developer program called developer garden which offers several telecom services by providing APIs.

One of these services is an IP location service that allows to resolve an IP address, if it comes from Deutsche Telekom's access network, to location information. While the retrievable location information is quite coarse it is still useful. My favorite use case is to restrict online banking to the country I live in or to the region or city I live in. This restriction would make online banking a little bit safer, although I know this is no silver bullet.
Anyway, it is a good thing that the location information is not too accurate. I don't want any server to locate me. Viewed from the privacy angle even country or region/city information might be too much already.
What I would like is user-centric location information. The Internet Service Provider should allow me - the user - to retrieve my location information to the accuracy that I accept. I can then hand this information over to the online shop, bank, news site, or whatever...

Today I have put this new IP location service and a security token server together. I wrote an iplocation_sts that offers Information Cards that contain location information. And I wrote an iplocation_rp that extracts this information from the security token. And it works! Yeah! Although I don't expect this to be the killer application which will make me rich or boost my career :-/ ... still I like it nevertheless.

How does it look?
You visit the Identity Provider with your Information Card enabled browser e.g. Firefox 3 with openinfocard. You create an account and an Information Card that you download and install into your selector.

Now you visit the relying party, click on the icon as directed...

... and choose the installed location-card. This sends the token request to the IdP's tokenservice which retrieves the remote-address of the client (or its proxy :-(), generates the SAML assertion, ...

that finally is send to the relyingparty.

Now it is clear that I live in the region "Berlin" and that the country code is "de". Correct.

Currently this is all installed only on my local machine but if Chuck installs the required libs on xmldap.org then you can play with it (if the access provider your ISP uses is Deutsche Telekom).

Internet Identity Workshop & openinfocard

The Internet Identity Workshop seems to inspire me to work more on the openinfocard selector again. I just uploaded a new version. Drag and Drop of Information Cards works again. You can open the sidebar using shift-alt-ctrl-i and then drag one of your cards to the main window (relying party).

The selector then opens and the dragged card is choosen. You just need to hit the "send" button or select some optional claims first.
You should look at the details of this particular relying party (http://pamelaproject.com/wptest091/). Pamela implemented the use of XRD/S for information cards for her wordpress plugin. If you add something like
<meta http-equiv="X-XRDS-Location" content="http://pamelaproject.com/wptest091/?xrds"/>
to your site and you use openinfocard then you can use Information Cards without the "object"-HTMLElement.

ICF D-A-CH Chapter @ EIC

Today at the European Identity Conference we had a workshop on forming a local chapter of the Information Card Foundation. We intend this to be a local chapter for Switzerland, Austria and Germany. We want to provide helpful information about Information Cards in the German language, we want to be a neutral body and an open organization, we want to organize and participate in events and workshops, we want to identify local requirements and local legislation related to Information Card Applications and we want to solve or to help solve challenges related to those local requirements and restrictions.

In our first workshop today we had many interesting presentations from very different companies and organizations. I won't repeat them here other then to note that probably all aspects of the Identity Metasystem were covered. That kind of surprised me, but it was a good surprise because it reminded me that there are more aspects to this other than the projects I work on. I thought that my openinfocard project and the Cardspace4Firefox project cover the selector part, that my divers work projects cover consumer, enterprise and mobile devices parts of the systems and the interoperability and standards aspects and that this is most of the "world" but of this of course not true. I was remembered that there is even more than this already huge field. That is good.

openinfocard new version

I just uploaded a new version of the openinfocard selector to http://code.google.com/p/openinfocard/downloads/list.
Please give it a try.

The changes are mainly internal but huge and important. After over a year of despair caused by several java plugin2 hiccups and a lingering "stale reference to a java vm"-error I think that I now have improved the code so that development of new features makes much more sense then before. I had the feeling that SUN and Mozilla are pulling away the ground under my feet, but now I think this period is over.

Some improvements are "visible" when you try the selector with "complicated" IdP's. I improved the metadata parsing through hefty use of E4X. The OSIS endpoints do not fall into this category but if you test this openinfocard version e.g. with a Geneva server you might see what I mean. We have set up Geneva servers in our lab and openinfocard immediately failed. I fixed this; although I am sure that there are WS-* variants that still cause the selector to flip.
BTW: By fixing some of these faults I "improved" the internal cardstore format. This causes old cardstores to become unusable. Sorry, please remove the cards from your current cardstore and reimport them. There is no automatic conversion...

Jave6 u12 or newer is now a requirement. I have only tested it on Windows XP SP3 32bit but I am quite confident that this selector runs everywhere where Firefox 3 and java6 is available.

Next steps:
- code cleanup. Throw away now unused code.
- XRDS support for X-XRDS-Location meta tag (nearly ready)
- phone selector integration

Kantara, Standards, Open Source Projects

Please pardon the crude title of this post...

On Monday, April 20, 2009 the Kantara Initiative (the server is currently down...) was launched. Although I subscribe to the goals of the initiative I still know too little to make a reasonable decision about it. My feeling is that it is too big. While it certainly helps to have an organisation and most of the legal (IPR, bylaws, etc) stuff is already handled for a new Kantara working group e.g. openFOO/BAR/BAZ I fear that the influence of the big companies might be unhealthy for openFOO. Sure it helps to have supports from experts in e.g. protocol design and standardization to make the openFOO protocol consistent, sound, complete, modular and extensible and everything a protocol or data format should be; but Liberty Alliance, Microsoft, IBM and the other big companies have a tendency to create complex beasts that the normal open source project can not tame.

If some enthusiasts come together, join forces to solve a problem and to make the Internet "suck less" then the outcome is sometimes simple, not modular, not extensible or whatnot but if it solves the problem, well...

A counter example: Yesterday I awoke a 1am (jet lag) and tried the openinfocard selector "against" an IdP that is based on Microsoft Geneva. I imported the Information Card that was issued by that server and boom: openinfocard could not handle it. So I fixed this small problem. (Although this fix will lead to a changed internal format of the openinfocard cardstore and will break existing cardstores. Hm. Sorry). Now I try to use the card and boom: the retrieved WS-Metadata is so complex that the openinfocard selector can not handle it; So I fixed this not so small problem and learned a lot about several of the friendly members of the WS-* family...; and of Mozilla’s E4X implementation. This introduces a new level of complexity to the openinfocard code that surely will lead to trouble in the future.

What does this have to do with Kantara? Well, sure the designers of WS-* are not all members of Kantara but the Liberty Alliance Project has created similar complex specifications (This server is down too; in fact it turns out it is the same server 74.124.198.86).
Now consider you want to implement a cool program on a mobile phone and have to use these standards. Good luck with e.g. ID-WSF and e.g. kxml2. Doable, but this takes probably more than half an hour.

So I am sceptical for small, fast, just-doit openFOO groups.

Mozilla weave and Information Cards

Mozilla labs just announced that they released version 0.3 of weave. I think Information Cards should be added to the weave cloud:

And maybe passwords should be stored as Information Cards to leverage THE SELECTOR's anti-phishing capabilities to protect username/password credentials.

Car Re-Registration with Information Cards and German eID by Fraunhofer Fokus

Fraunhofer Fokus demoed a cool scenario where a user re-registers his car using the new German eId and Microsoft CarsSpaceCardspace. What I exspecially liked that the slides show Firefox and the openinfocard selector installed.



The following is the text from the slide:
Re-registration of a car can prove a real headache. But the Fraunhofer Institute for Open Communication Systems FOKUS in Berlin has joined forces with the Bundesdruckerei to develop the prototype of an electronic automobile re-registration procedure that can be conveniently operated using the home computer.
To use this simple procedure, however, the citizen first requires a safe means of identity in the digital world. He or she requires an electronic identity or ‘e-identity’ which needs to be created, administered and decommissioned.
Across its life cycle the digital identity can be used for a wide variety of different transactions and activities – but always with the aim of proving the identity of the real individual in the virtual world. Users must be able to navigate in the digital world; they must reveal certain information about themselves – but not too much and certainly not to everybody. At the same time increasingly pervasive networking means that previously separate islands of identity have now to interact and cooperate.
In the ‘Re-registration of an Vehicle’ scenario the car owner can use an electronic ID card as a means of identification of the type that will come into use in Germany in 2010. Using this card she logs onto a user-centric service – the scenario uses Windows’ CardSpace – which issues her with a ‘digital card’ or Information Card which she can use via an identity provider to safely authenticate herself on an vehicle portal. Using an electronic vehicle registration certificate – which could also become widely available in future – the car registration office can then read off the key data about the car via the internet and store the data that has been changed.
The citizen then transfers the revised data to a future digital license tag.
Please contact Jens Fromm from Fraunhofer Fokus for more information.

java 6 update 12 for openinfocard

Java 6 update 12 has been released. Please install this update because it contains a fix (6745455) especially for Firefox extensions that use java like the openinfocard id selector. openinfocard users on MacOS still have to disable the plugin2 and use the dying OJI plugin (or stay with Firefox 2...); although that is not really satisfying... I hope that Apple will leap ahead soon from java 1.6u7 to 1.6u12.

Thank you SUN for fixing this.