Questions[openid](server)

We currently use Google as an OpenID identity provider to our web platform. We need to move away from it. I discovered Amazon Cognito (we already use EC2/S3 and the rest).

I discovered the well_known here: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_UxUwcIy3y/.well-known/openid-configuration

Then I fetched the authorization_endpoint which is https://cognito-idp.us-east-1.amazonaws.com/us-east-1_UxUwcIy3y.

However, no matter what I pass to it, including response_type, scope, client_id, redirect_uri, it always gives me:

{"code":"BadRequest","message":"The server did not understand the operation that was requested.","type":"client"}

With no other information.

There doesn't seem to be any public documentation regarding this feature. Is what I'm trying to do even possible (make Cognito act like Google OpenID IDP)? Does anyone have any documentation regarding what to pass to authorization_endpoint. I understand that the Amazon Cognito Mobile SDK provides a way to embed SSO in apps, but maybe it is not possible to do this directly the way I'm doing. I already setup a user pool.

For those Relying Parties (RP) that allow the user to specify the OpenID Provider (OP), it seems to me than anyone that knows or guesses your OpenID could

1. Enter their own OP address.
2. Have it validate them as owning your OpenID.
3. Access your account on the RP.

The RP "could" take measures to prevent this by only allowing the OpenID to validated by the original OP, but...

1. How do you know they do?
2. You could never change your OP without also changing your OpenID.

Is open ID secure, for example can you use it to log into bank accounts?

Don't you just hate it when your password explodes, letting the magic smoke out of your server, and setting lp0 ablaze?

In all seriousness, the number of places a person needs a username and password is increasing dramatically. It looks like OpenID won't be solving the problem in the near future, and Single Sign-On seems more like a goal than a reality internally, even disregarding the great big net out there.

I just came from a meeting wherein I was told that we've paid for access to several external sites, and want to lower the bar and increase the likelihood that staff (and students) will make use of these resources. Those speaking felt that our top five- to ten-percent of users might make use of the sites, but if we could provide a way to log people in to the sites (and give them a launching-off page) that the uptake might increase dramatically (and that we could save tech support money but not having to help people when they forget their passwords.)

What are you doing about this problem in your organization? Are there any sensible approaches?

I've been wondering. Since anybody can start an OpenID provider, and since there is no central authority that approves OpenID providers, why won't fake OpenID providers become a problem?

For example, a spammer could start an OpenID provider with a backdoor to let himself authenticate as any other user that was tricked into registering on his site. Is this possible? Is the provider's reputation the only thing that prevents this? Are we going to see OpenID provider blacklists and OpenID provider review sites in the future?

Probably I don't understand something about OpenID completely. Please enlighten me :)