[OpenID] Persistent logins

Max Metral max at artsalliancelabs.com
Tue Mar 13 18:00:31 UTC 2007

checkid_immediate is what I meant, yep (sorry).  But it requires UA
interaction (which makes sense given the protocol) which means I can't
safely use it all the time (since I don't know if the user will then
have to take an action).  And at the very best, I would then make my
members tell me twice that they want a persistent login.  First, when
they enter their OpenID on my site (so I know to make a persistent
ticket) and then second they'll have to realize they need to click
"Allow Forever" on the IDP.  It's a broken UE.

There are a variety of options:

1) Allow the consumer to specify that they would like a persistent
logon.  This would allow the IDP to include that information in the
1a) Have the IDP return some token that allows the site to verify the
token server-to-server
1b) Have the IDP inform the consumer that future re-login requests will
not require UI based on permissions

2) Allow the existing token that is passed back during login to be used
server-to-server in the context of "Did you, the IDP, issue this token,
and do you continue to believe it's a valid token?"

3) Have the IDP provide a "logout" page that would contact selected
sites (based on user input or on history) via a well known mechanism
that instructs the site that any OpenID credentials are no longer valid.

4) Have the site provide an OpenID "serial number" of its own and
provide its own UI to clear this across machines.  Problem with this of
course is that there's no central place for me to fix my mess.

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Rowan Kerr
Sent: Tuesday, March 13, 2007 1:37 PM
To: general at openid.net
Subject: Re: [OpenID] Persistent logins

On 13-Mar-07, at 10:20 AM, Max Metral wrote:
> I was afraid this might be the case.  It's a pretty big hole I would
> submit

Your UA will remember your session (don't have to re-authenticate),
or your UA will remember the identifier you used previously (only
have to click "login" to authenticate), or your UA will recognize
a standardized "open id" form and fill in your identifier
(only have to click "login").

If a user arrives at a site they've never been to before, yet
happens to be a partner of a site they have previously used
why force business partnerships on them by magically
authenticating them?

> In the end, if check_auth isn't server-to-server only, it would
> seem we'd need that mechanism.

Are you maybe looking for openid.mode = checkid_immediate?
That still goes through the UA to maintain sessions, cookies, etc
but can happen without user interaction.


general mailing list
general at openid.net

More information about the general mailing list