[OpenID] Using OpenID to authenticate at a 3rd party service

Martin Atkins mart at degeneration.co.uk
Mon Feb 12 18:57:36 UTC 2007

Chris Richard wrote:
> I want to expose a web service that relying parties can use on behalf 
> of users and I'd like to use OpenID to authenticate users at this service.
> I'd like to add the service (a new service type) to the user's XRDS 
> (which already contains an OpenID service) and now the relying party can 
> find both services it needs. But what should the communication look like 
> between these four parties (the user agent, relying party, OpenID 
> service, my web service)? Does the relying party need to authenticate 
> the user with OpenID first and then forward the user through my service 
> where the user is again authenticated and eventually sent back to the 
> relying party?

This is the sort of thing that I envisaged OpenID Exchange (whose name 
will probably change if it's ever published as a spec) would be useful for:

To answer your question in the context of OpenID Exchange, the relying 
party can optionally authenticate the user, but ultimately it is most 
important that the target service authenticates the user.

I think in most cases either the RP will already know the identity of 
the remote user or they won't care at all. If it's desired, both the RP 
and the service can authenticate the user as part of the process, but of 
course that leads to the sub-optimal situation where the user could get 
prompted to approve a site twice, which is likely to cause confusion.

Sadly I've not had much time recently to work on a prototype 
implementation of this beyond my simple demo.

More information about the general mailing list