HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Journal articles

Why can’t users choose their identity providers on the web?

Kevin Corre 1, 2 Olivier Barais 2 Gerson Sunyé 3 Vincent Frey 1 Jean-Michel Crom 1
2 DiverSe - Diversity-centric Software Engineering
Inria Rennes – Bretagne Atlantique , IRISA-D4 - LANGAGE ET GÉNIE LOGICIEL
3 AtlanModels - Modeling Technologies for Software Production, Operation, and Evolution
Inria Rennes – Bretagne Atlantique , LS2N - Laboratoire des Sciences du Numérique de Nantes
Abstract : Authentication delegation is a major function of the modern web. Identity Providers (IdP) acquired a central role by providing this function to other web services. By knowing which web services or web applications access its service, an IdP can violate the end-user privacy by discovering information that the user did not want to share with its IdP. For instance, WebRTC introduces a new field of usage as authentication delegation happens during the call session establishment, between two users. As a result, an IdP can easily discover that Bob has a meeting with Alice. A second issue that increases the privacy violation is the lack of choice for the end-user to select its own IdP. Indeed, on many web-applications, the end-user can only select between a subset of IdPs, in most cases Facebook or Google. In this paper, we analyze this phenomena, in particular why the end-user cannot easily select its preferred IdP, though there exists standards in this field such as OpenID Connect and OAuth 2? To lead this analysis, we conduct three investigations. The first one is a field survey on OAuth 2 and OpenID Connect scope usage by web sites to understand if scopes requested by web-sites could allow for user defined IdPs. The second one tries to understand whether the problem comes from the OAuth 2 protocol or its implementations by IdP. The last one tries to understand if trust relations between websites and IdP could prevent the end user to select its own IdP. Finally, we sketch possible architecture for web browser based identity management, and report on the implementation of a prototype.
Document type :
Journal articles
Complete list of metadata

Cited literature [13 references]  Display  Hide  Download

Contributor : Kevin Corre Connect in order to contact the contributor
Submitted on : Thursday, October 5, 2017 - 1:22:44 PM
Last modification on : Wednesday, April 27, 2022 - 3:48:47 AM


Files produced by the author(s)



Kevin Corre, Olivier Barais, Gerson Sunyé, Vincent Frey, Jean-Michel Crom. Why can’t users choose their identity providers on the web?. Proceedings on Privacy Enhancing Technologies, De Gruyter Open, 2017, 2017 (3), pp.72-86. ⟨10.1515/popets-2017-0029⟩. ⟨hal-01611048⟩



Record views


Files downloads