Of Claims and Public Identities
October 21, 2011 Leave a comment
I remember sitting in a session delivered a few years ago by Kim Cameron, in which I heard for the first time about ‘the laws of identity’, and I was hooked immediately. I find the topic of identity very interesting and important, and too often looked over.
The cloud often bring this into the conversation and often I find people surprised how comprehensive the Microsoft story around identity is and how powerful the ACS is. I’ve discussed an aspect of this – the ability to federate with the ‘big boys’ – Windows Live ID, Yahoo, Google and Facebook in my previous post.
In his talk, Kim listed 7 ‘laws’ –
- User Control and Consent
- Minimal Disclosure for Constrained Use
- Justifiable Parties
- Directed Identity
- Pluralism of Operators and Technologies
- Human Integration
- Consistent Experience Across Contexts
You can read about them here.
In my post I mentioned that the application developer could leverage the ACS to authenticate the user without having to write authentication code, worry about storing username and password, implementing password reset, etc., but suggested the developer would still need to implement a registration screen to get any information that is required about the user and manage a local profile.
This is due to the second law – an identity provider should, in most cases, and certainly in the case of a provider outside the organisation, only disclose the user’s identity, and nothing else. all that’s needed is for someone to say – ‘yep – this user is X as far as I can tell’,
To understand why this is important, consider the difference between these two examples –
When using Windows Live ID as the identity provider, the calling web site (the Relying Party, or RP), receives back a token with two claims – the identity provider (“uri:WindowsLiveID”) and the name identifier (in the Windows Live ID case – a GUID). no personal details are shared, nothing that can be used to hack the account.
The web site is then expected to have details stored against those two facts, which the user had given directly to the web site, as it should be according to the 1st law, and if the web site does not have any such details, it should ask the user directly, and the user – now knowing exactly who is getting these details, can make a conscious call as to whether to share them or not.
In contrast, consider Google’s identity provider – this returns four claims – the identity provider (‘Google’) and the name identifier (a link with a unique identifier in it), similar to Windows Live ID, but also the user’s friendly name (‘Yossi Dahan’ in my case) and email address (‘my gmail address used to sign-in to Google). these are two pieces of information I did not necessarily wish to share with the web site, but they were shared without me realising it (until I debugged the code, that is).
Now – it is true that as a user I needed to first proactively go to the website, and then when got redirected to the Google sign-in page I had to agree for details to be shared, so it’s not exactly horrible, but it does demonstrate the point that identity providers should really provide very little detail and that web site developers, whilst they don’t have to worry about authentication, should really manage user profiles independently and handle user registration against those identities.