So the question is... How, in the world of open identity protocols, do I restrict access to a subset of my “discovery” information? The obvious answer is for the discovery service (or service provider in general) to restrict access based on the identity of the invoking party. However, how is that invoking identity presented? At first thought is seems like OpenID and OAuth should suffice, but it turns out this doesn’t work to well in practice.
Let’s take the following example and walk it through.
“Alice logs into her hiking site, uploads a GPS track and photos, and notifies her friends of the new information.”
- Alice logs into one of her favorite web sites (hikingtrails.example.com).
- Alice uploads a GPS track and some photos of a new trail she hiked over the Labor Day weekend.
- At the conclusion of her upload, hikingtrails.example.com asks Alice if it should notify her friends about her activity.
- Alice thinks that’s a great idea and agrees.
- So hikingtrails.example.com queries portablecontacts.example.com, using pre-established OAuth credentials, and retrieves Alice’s list of contacts with a tag of “hiking buddy”.
- Now for each of these friends, hikingtrails.example.com has to discover the “notification” service and send it the new activity message.
- One of Alice’s friends, Bob, only exposes the endpoint and metadata of his “notification” service to a restricted list of people.
It’s at this point that things begin to break down. How does hikingtrails.example.com identify Alice to Bob’s discovery service so that hikingtrails.example.com can attempt to discover Bob’s “notification” service? There currently isn’t a binding for OAuth to be used with XRDS discovery, and even if there were, it would mean that Alice would have to have an “account” at Bob’s discovery service in order for the discovery service to be able to authenticate Alice and establish OAuth credentials. While this would only have to be done once with Bob’s discovery service, the user experience would have to be repeated with each of Alice’s friend’s discovery service. That seems like over kill for the simple purpose of identifying Alice to Bob's discovery service.
A possible solution would be an “open identity token” that could be created by an identity provider and passed to any service provider. I have some thoughts on this that I hope to expound on in another post.