After being stumped by a client’s OpenID Connect question earlier today, we wanted to dig deeper for some answers.
We turned to the knowledgeable and helpful OpenID Connect Spec Gurus for clarification and the following is what we learned…
Our Query to the Oracles of OpenID Connect:
“As I understand OpenID Connect discovery, a person would specify username@host…
Could the user simply enter “@host” instead?
Its not a valid address, but for discovery, it could be sufficient. Perhaps this would facilitate the return of a non-correlatable (transient…) identifier by the OP to the RP, which could help protect the privacy of the person.”
Response from OpenID Gurus:
Yes, according to the discovery docs you can enter just the host/domain name (without the @ sign) and Webfinger will still work. You can also enter the issuer URL directly. Both of these allow for directed-identifier use cases, where you know the IdP but don’t know the end user at runtime, and this is a key feature for OIDC.
What does this all mean?
It means that a user can retain 100% privacy when web access management products. Many organizations do not want RP’s to be able to track a specific person. If a different identifier is released to each RP, the user can act more anonymously on the Internet. If the user is causing trouble at the RP (like trying to hack the RP…), the IDP can still track down the person who was issued the “transient” identifier in question. In many cases, the RP really doesn’t need to know which specific user at the domain is requesting the content–frequently the RP just needs to know that the person is licensed or authorized
The above scenario is widely in use by universities using the Shibboleth support for transient ids. A similar approach is also used by some vendors to minimize the release of attributes to websites.