1

Out of curiosity, when I log into a site like StackOverflow via OpenID or similar (Google, Facebook, etc.), I get also logged into the identity provider itself (e.g. Google).

Is there a way that users can log into my site using a third party identity, without being logged into that identity itself?

I'm aware that Google sign-in works differently than others, by using Google Sign-In. I'm interested in a general answer for all the popular login services (Google, Facebook, Twitter, ...) whether they are based on OpenID (2.0), OAuth, or a proprietary solution, e.g.: "With OpenID, that works if you do so-and-so. For Google, that is not possible, because technical reason."

jdm
  • 9,470
  • 12
  • 58
  • 110

2 Answers2

2

OpenID/ OAuth is a general "protocol" that allows a site (e.g. stackoverflow) to reside on an identity provider (e.g. Google) for authentication. This includes a transaction where

  1. You tell stackoverflow that you will use goole for login
  2. stackoverflow will send to to Google to get authenticated with a redirect url.
  3. Google will authenticate you, effectively will log you in their services (so as to know you are you)
  4. Google (And any other Identity provider) should ask you if you want your email and other information to be sent to stackoverflow
  5. If you agree google will send this info to the consumer (stackoverflow)
  6. From this point on it is up to the auth consumer (e.g. stackoverflow) to accept this information (your email) as valid.

Any scheme that does not go through the ID provider's login (step 3), will expose your credentials to a (possibly) untrusted third party (would you wnat stackoverflow to have your google password?)

Step 3 also installs a cookie on your machine which contains your session with Google. It is up to Google (or any ID provider) to consider this session valid for all other uses (Gmail etc) but it is a convenient feature anyway

If you already have an established session with Google, it possibly won't require you to log in again.

johnmerm
  • 676
  • 8
  • 15
  • Sure, that is how login via OAuth (OpenID-connect) works. But I wonder if there is a scenario where the authentication server (e.g. Google) performs the authentication, gives the confirmation to the consumer (e.g. SO), then a cookie is set *on the consumer site*, but *no actual login is performed for the authentication server*. e.g. you are not logged into GMail. It seems this is not possible via OAuth (because you have to be logged in, so it can hand out the tokens to the consumer). But I think it might be possible with OpenID 2.0, or Persona, or something else. – jdm Nov 03 '16 at 10:54
  • I was not aware of Persona but anyway, the site says – johnmerm Nov 03 '16 at 11:21
  • The persona.org service is shutting down. This service will be unavailable after November 30th, 2016. More Info... OpenID works the same way with OAuth. ID provider needs to verify you identity, this means login. It i also not possible for a Site to set a cookie for a different domain – johnmerm Nov 03 '16 at 11:22
  • "ID provider needs to verify you identity, this means login." I think there is a difference between entering your credentials, and actually opening a session. What I mean is: You click on a third party site Y on "login with X". You are redirected to X, enter your credentials, X confirms your identity, and redirects you back to Y, with a token confirming your identity and email address. Y can set a cookie for itself and open a session. That's how all these systems work. Now, X can choose to throw away this information, or it can also to open sessions for mail.X.com, calendar.X.com, etc.. – jdm Nov 03 '16 at 12:02
0

The behavior you describe is possible (and an IDP could easily implement it) but is not desirable for multiple reasons.

  1. It trains users for phishing. Because after clicking "sign-in" users are supposed to enter id and pw, so one could easily show a login page and users will type their info.
  2. Of course it is not convenient for users.
  3. From a risk and pw cracking perspective, it is better to do a lot of "checks" when a user signs in and may be require extra checks (like ping the phone or ask questions) and then create a logged in session.

I understand the desire that a user shouldn't get signed into IDP as a side effect and you could easily achieve that if you are writing the IDP code or alert the user to sign out of IDP when they are back to your site.

nvnagr
  • 2,017
  • 1
  • 14
  • 11