Migrating from HTTP to HTTPS OpenID
Session: Tuesday Space 2 Session F
The basic concept to upgrade an HTTP OpenID to an HTTPS OpenID is to leverage the OpenID discovery step over SSL to identify the equivalent HTTP based OpenID. Some thoughts and examples below.
When validating an OpenID via discovery and XRDS
Example mapping for XRDS
<XRD> <Service xmlns="xri://$xrd*($v*2.0)"> <Type>http://specs.openid.net/auth/2.0/httpMapping</Type> <URI>http://openid.aol.com/chattingchuck</URI> </Service> </XRD>
Example mapping for XRD
<?xml version='1.0' encoding='UTF-8'?> <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> <Subject>https://openid.aol.com/chattingchuck</Subject> <Link rel=openid' href='https://openid.aol.com/gffletch'> <Property type=’http://specs.openid.net/auth/2.0/httpMapping’>http://opened.aol.com/chattingchuck</Property> </Link> <Link rel='describedby' href='http://profiles.aim.com/chattingchuck' type='text/html' /> </XRD>
OP defines <Type> URI in XRDS/XRD specifying that it implements the HTTP->HTTPS upgrade path.
Processing rules for the OP
- When the discovery request is made over HTTPS, then return the alias type and associated http OpenID.
- If the initial request for the OpenID flow come in over HTTP, then 301 to the HTTPS identifier
Processing rules for the RP
- When the OpenID assertion contains an HTTPS OpenID the RP first looks to see if this OpenID is known. If found, then done.
- If the HTTPS identifier is NOT found, look in the discovery document for an "alias" type in the discovery document
- If the Alias is found, the RP looks for that OpenID in their store
- If found, then update the user id in the RP data store from the HTTP version to the HTTPS version
- If not found, then this is a new user. Add them with their HTTPS OpenID
- OP updates discovery documents to provide alias in documents retrieved over SSL but still returns the HTTP OpenID
- this allows RP's to run "batch" jobs to upgrade the user
- After some period of time, the OP stops returning HTTP identifiers and only returns HTTPS identifiers
- How to protect against from rogue OP returning a mapping for a different OP?
Alternate proposal (John Bradley)
- RP's assume that an HTTPS identifier is the same as the HTTP identifier and do an "autoupgrade" if the identifiers are exactly the same except for scheme.
- OP MUST move to HTTPS OpenIDs permanently
- OP MUST 301 HTTP requests to HTTPS
- If the RP has an existing HTTPS identifier for the user, it MUST NOT consider the HTTP version to be the same
- Upgrading the HTTP OpenID to HTTPS MUST only occur for users that do NOT have an existing HTTPS OpenID identifier