2

I'm writing a web application with spring boot and want that the user is able to tell me what his identity provider is. In a same way as I can do it on Stackoverflow.

How can I identify a user in a unique way? I already read that I should use the sub/Subject for distinguishing users. Is this unique when using multiple providers?

My fear is that a user provides a malicious identity provider which then tells my app he is a different user.

Absurd-Mind
  • 7,884
  • 5
  • 35
  • 47

2 Answers2

2

How can I identify a user in a unique way? I already read that I should use the sub/Subject for distinguishing users. Is this unique when using multiple providers?

You'd store the combination of (iss, sub) as an identifier that is globally unique. As Kavindu mentioned already, the sub claim by itself is only locally unique.

My fear is that a user provides a malicious identity provider which then tells my app he is a different user.

There are two ways of using "multiple providers" with your app, via:

  1. a set of trusted IdP's
  2. any IdP

If someone's real identity is important to you, then you can choose the providers you trust to provide someone's identity details. People then can only sign in via one of the providers in your list.

But if it doesn't matter that much (normal username/password registrations also don't provide any guarantees), then you could also choose to let people login with a provider of their choosing. The correct provider may then be discovered from the user's "handle" via OIDC Discovery.

Pieter Ennes
  • 2,301
  • 19
  • 21
  • 1
    I do not care about the identity, I just want to externalize the login process. Is the Discovery needed? As I understand it, it should be sufficient if the user tells me the URL of their OpenID server. – Absurd-Mind Mar 27 '18 at 20:01
  • @Pieter Ennes SO is using OpenID and not OpenID Connect. IMO OP has mixed this up and that's the confusion here – Kavindu Dodanduwa Mar 28 '18 at 04:12
  • since iss+sub is globally unique, how do we identify the same user if he uses different identity providers to log in (let's say facebook login, google login). – jayasurya_j Nov 10 '18 at 14:51
1

Q : How can I identify a user in a unique way? Is this unique when using multiple providers?

According to OpenID Conenct specification, "sub" claim is locally unique. Following is the extraction from specification which highlight this (reference),

Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User

So when you are dealing with a single identity provider, "sub" claim is unique. But that does not hold for multiple providers.

Q : My fear is that a user provides a malicious identity provider which then tells my app he is a different user.

I doubt about this scenario. Does your application allow end users to register different identity providers as they want ?

In OpenID Connect, there's a application registration step. Your application need a client identifier. Also registration process involve redirect URL registration. All these are done in registration step. Without these, OpenID Connect will not function.

Adding to that, different providers behave differently. For example, though "sub" is the standard claim to communicate end user identity, a provider may use a custom claim to define a specific user identity. This is allowed by OpenID Connect specification. So your application must only support known, well established identity providers which you know at the application design time.

Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • `So your application must only support known, well established identity providers which you know at the application design time.` I'm curious how Stackoverflow implements exactly the feature I want although they shouldn't? You can enter your own OpenID on the login page – Absurd-Mind Mar 27 '18 at 19:57
  • @Absurd-Mind I didn't notice their OpenID based registration step till you point it out. Came across few posts in SO which explains this https://meta.stackoverflow.com/questions/255394/cannot-add-stack-exchange-openid-login and https://stackoverflow.com/questions/69076/openid-login-workflow – Kavindu Dodanduwa Mar 28 '18 at 04:04
  • Also, I think they use OpenID, not OpenID Connect. Mind you these are two different protocols and OpenID Connect deprecate OpenID .! For OpenID Connect, your client application must be registered to identity provider. Whether you do it dynamically or before hand is up to implementation. That's why I compose my answer in this manner – Kavindu Dodanduwa Mar 28 '18 at 04:10
  • 1
    From what I can see, even the specification suggests to use iss+sub: 5.7. Claim Stability and Uniqueness: `The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.`. Still trying to figure out if I need to go through a Discovery... – Absurd-Mind Apr 04 '18 at 19:55
  • @Absurd-Mind Yes agree. Combination of Sub and Iss claims should be unique in a global scale. I think discovery is essential for your case.For example, you need to dynamically get token signing certificate details. – Kavindu Dodanduwa Apr 06 '18 at 04:08