Why can’t users choose their identity providers on the web?

  • 1 Orange Labs, IRISA
  • 3 INRIA,
  • 4 Orange Labs,
  • 5 Orange Labs,


Authentication delegation is a major function of the modern web. Identity Providers (IdP) acquired a central role by providing this function to other web services. By knowing which web services or web applications access its service, an IdP can violate the enduser privacy by discovering information that the user did not want to share with its IdP. For instance, WebRTC introduces a new field of usage as authentication delegation happens during the call session establishment, between two users. As a result, an IdP can easily discover that Bob has a meeting with Alice. A second issue that increases the privacy violation is the lack of choice for the end-user to select its own IdP. Indeed, on many web-applications, the end-user can only select between a subset of IdPs, in most cases Facebook or Google. In this paper, we analyze this phenomena, in particular why the end-user cannot easily select its preferred IdP, though there exists standards in this field such as OpenID Connect and OAuth 2? To lead this analysis, we conduct three investigations. The first one is a field survey on OAuth 2 and OpenID Connect scope usage by web sites to understand if scopes requested by websites could allow for user defined IdPs. The second one tries to understand whether the problem comes from the OAuth 2 protocol or its implementations by IdP. The last one tries to understand if trust relations between websites and IdP could prevent the end user to select its own IdP. Finally, we sketch possible architecture for web browser based identity management, and report on the implementation of a prototype.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] L. Lynch, “Inside the identity management game,” IEEE Internet computing, vol. 15, no. 5, p. 78, 2011.

  • [2] D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proceedings of the 16th international conference on World Wide Web. ACM, 2007, pp. 657–666.

  • [3] A. Jøsang, M. A. Zomai, and S. Suriadi, “Usability and privacy in identity management architectures,” in Proceedings of the fifth Australasian symposium on ACSW frontiers-Volume 68. Australian Computer Society, Inc., 2007, pp. 143–152.

  • [4] D. Reed, L. Chasen, and W. Tan, “Openid identity discovery with xri and xrds,” in Proceedings of the 7th symposium on Identity and trust on the Internet. ACM, 2008, pp. 19–25.

  • [5] D. Mills, “Introducing browserid: a better way to sign in,” 2011.

  • [6] “WebRTC 1.0: Real-time Communication Between Browsers.” [Online]. Available: https://www.w3.org/TR/webrtc/

  • [7] E. Rescorla, “WebRTC Security Architecture,” 2015.

  • [8] A. Vapen, N. Carlsson, A. Mahanti, and N. Shahmehri, “Information sharing and user privacy in the third-party identity management landscape,” in IFIP International Information Security Conference. Springer, 2015, pp. 174–188.

  • [9] S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov, “What Makes Users Refuse Web Single Sign-on?: An Empirical Investigation of OpenID,” in Proceedings of the Seventh Symposium on Usable Privacy and Security, ser. SOUPS ’11. ACM, 2011, pp. 4:1–4:20.

  • [10] M. Sporny, T. Inkster, H. Story, B. Harbulot, and R. Bachmann-Gmür, “Webid 1.0: Web identification and discovery,” Editor’s draft, W3C, 2011.

  • [11] M. Jones, J. Bradley, and N. Sakimura, “Json web signature (jws), rfc 7515,” Internet Engineering Task Force (IETF), Tech. Rep., 2014.

  • [12] N. Sakimura, J. Bradley, and M. Jones, “OpenID Connect Discovery 1.0,” 2013.

  • [13] ——, “OpenID Connect Dynamic Client Registration 1.0,” 2013.

  • [14] P. Jones, J. Smarr, G. Salgueiro, and M. Jones, “Webfinger,” 2013.

  • [15] “ISO/IEC 29115:2013 - Information technology – Security techniques – Entity authentication assurance framework.” [Online]. Available: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138

  • [16] K. Cameron, “The laws of identity,” Microsoft Corp, 2005.

  • [17] “Introducing Windows CardSpace.” [Online]. Available: https://msdn.microsoft.com/en-us/library/aa480189.aspx

  • [18] M. Nottingham and E. Hammer-Lahav, “Defining well-known uniform resource identifiers (uris),” Tech. Rep., 2010.


Journal + Issues