Description

This page exists to track information relating to the OpenID Provider MultiAuth Extension 1.0. 

Proposal Abstract

This document specifies an extension to OpenID Authentication 2.0 Discovery.

This extension allows a Claimed Identifier to specify that an RP should receive valid OpenID Authentication assertions from at least two different OP's before the RP may grant access to protected resources.

OpenID Authentication 2.0 currently only specifies a single authoritative OP for a given Claimed Identifier. This restriction poses a modest security risk from the perspective that a rogue OP (or a rogue employee at an OP) might surreptitiously operate on behalf of a user without that user's knowledge or consent. By providing OpenID users with the ability to prevent this type of attack, users will be able to mitigate a common concern with the OpenID protocol as it stands today.

Discussion Points (TBD)

1. Shade's suggestion about graceful fallback should be considered (see here).  The idea is that if a user has specified multi-auth, and one of the OP's is down, the user would not be able to login.  Shade suggests gracefully falling back to SingleAuth, although this has security implications (see draft 2 spec).  Perhaps a better thing would be to have at least 3 OP's specified, but some sort of indicator that says, "Hey Mr. RP -- you only need valid auth assertions from two of these X OP's in order to give access to protected resources".

Document Respository

Document	Version	Notes	Date Added
openid-provider-multiauth-extension-1_0-1.html	Draft 1_1	First Draft.  Very rough.	12/26/2008
openid-provider-multiauth-extension-1_0-2.html	Draft 1_2	Second Draft.  Updated XRDS & HTML formatting and structural flow of the extension.	01/18/2009