[OpenID] Sharing OpenID between sites (and APIs)
William.Tan at neustar.biz
Mon Jan 29 01:54:16 UTC 2007
There are privacy concerns here. If someone clicks on a link on the page
with an openid_url=ID or lid=ID query parameter, it will show up in the
referrer log of the target site. While it's not a password, it's still
valuable information identifying the user.
Can't the RP implement a long-lived cookie that remembers the user, so
that when a user revisits the site after a few days it'll check if the
user is logged on at the IdP?
Johannes Ernst wrote:
> That's what the NetMesh code has been doing for about two years now.
> It's rather handy for things like bookmarking a pair of page URL and
> identity of user, not just page URL, so the bookmark is "show me this
> page with me as owner" vs "show me this page as anonymous" vs. ...
> In our implementation, having an empty value for this parameter
> (called lid= in our case) means "anonymous".
> On Jan 27, 2007, at 8:38, Stephen Paul Weber wrote:
>> Hello everyone :)
>> I've been thinking a lot about the problem of having to sign in
>> with your OpenID at every site (unlike other, close, single sign on
>> where going to, say, Blogger when logged in at GMail automatically
>> logs you in). This also applies to data-sharing between sites in an
>> authenticated API style.
>> Basically, I think it makes sense for every page on an
>> OpenID-enabled site to accept ?openid_url=ID, instead of only the
>> login page.
>> See my article for more :
>> - Stephen Paul Weber, singpolyma.net
>> general mailing list
>> general at openid.net
> general mailing list
> general at openid.net
More information about the general