Canonical SSO provider

openid provider behavior on change of requested information by consumer

Asked by Matthias Arnason

if an openid consumer requests additional information it hasn't before (e.g. previously needed only nickname, now wants nickname+fullname), does login.ubuntu.com require users to whitelist the change in requested information or just provide it as the consumer was previously accepted by the user?

if not, can we force-dissociate users of a particular consumer when we make that change?

Question information

Language:
English Edit question
Status:
Solved
For:
Canonical SSO provider Edit question
Assignee:
No assignee Edit question
Solved by:
Stuart Metcalfe
Solved:
Last query:
Last reply:
Revision history for this message
Stuart Metcalfe (stuartmetcalfe) said : 		#1

Right now, there is no option for users to change what information is sent to the consumer. It's either a 'trusted' consumer and we return all available requested information or it's not trusted and we only return the nickname. The user has the choice to continue, or not, except where the consumer is trusted enough to have auto-redirection enabled, but this should only be for official Ubuntu and Canonical properties.

When bug #121533 is finished and deployed, new behaviours will be added as described in that bug. These will ensure that the user is aware of changes in requested information and is able to decide what to send.

Revision history for this message
Matthias Arnason (tiaz) said : 		#2

I see. That being the case is it possible for us to invalidate existing authorizations for a particular destination, to force users to approve the new set of requested information?

Revision history for this message
Best Stuart Metcalfe (stuartmetcalfe) said : 		#3

No, not at the moment. If a site is automatically redirecting without user involvement then it is a trusted site. The only way to prevent that is to disable auto-redirect for the specific site for all users. That is something which needs to be done by the LOSAs.

A note for the future: bug #121533 specifies that *additions* to approved information should not automatically return to the consuming site, regardless of user settings (see also, the related note on bug #600583). Bug #600583 also discusses a list of sites to enable management of trusted sites outside of the regular login flow. Between those two bugs, I think we have all our bases covered for the future but please do add any additional thoughts/concerns/ideas to them.

Revision history for this message
Matthias Arnason (tiaz) said : 		#4

Thanks Stuart Metcalfe, that solved my question.