[OpenID] Sharing OpenID between sites (and APIs)
Tan, William
William.Tan at neustar.biz
Mon Jan 29 01:54:16 UTC 2007
There are privacy concerns here. If someone clicks on a link on the page
with an openid_url=ID or lid=ID query parameter, it will show up in the
referrer log of the target site. While it's not a password, it's still
valuable information identifying the user.
Can't the RP implement a long-lived cookie that remembers the user, so
that when a user revisits the site after a few days it'll check if the
user is logged on at the IdP?
=wil
Johannes Ernst wrote:
> That's what the NetMesh code has been doing for about two years now.
> It's rather handy for things like bookmarking a pair of page URL and
> identity of user, not just page URL, so the bookmark is "show me this
> page with me as owner" vs "show me this page as anonymous" vs. ...
>
> In our implementation, having an empty value for this parameter
> (called lid= in our case) means "anonymous".
>
> On Jan 27, 2007, at 8:38, Stephen Paul Weber wrote:
>
>
>> Hello everyone :)
>> I've been thinking a lot about the problem of having to sign in
>> with your OpenID at every site (unlike other, close, single sign on
>> where going to, say, Blogger when logged in at GMail automatically
>> logs you in). This also applies to data-sharing between sites in an
>> authenticated API style.
>> Basically, I think it makes sense for every page on an
>> OpenID-enabled site to accept ?openid_url=ID, instead of only the
>> login page.
>> See my article for more :
>> <http://singpolyma-tech.blogspot.com/2007/01/openid-as-true-single-
>> signon.html>
>> Thoughts?
>>
>> --
>> - Stephen Paul Weber, singpolyma.net
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list