[OpenID] Re: user-initiated login

[SitG Admin]

>The user could have clicked on a random link sent to them via IM or 
>mail which immediately sent the user to the Yahoo OpenID screen.

Interesting . . . in testing (with the PHP library for Consumer from 
openidenabled.com), I intercepted the browser's GET request of the 
OP, then went into /tmp and deleted everything the RP had, before 
removing the block and resending the GET to my OP (me). Everything 
worked *perfectly*. It did not break the authentication process to 
have an OP redirecting a user to my Consumer who, as far as my 
Consumer was concerned, had never been there before. I'm currently 
using cookies to enforce statefulness (and, if a user tries to finish 
authenticating but they don't send a cookie I recognize, I send them 
back to my login page and ask them to support cookies this time), but 
how convenient would it be for users if they could follow (or 
bookmark) a single URL to their OP which would say "log me in to this 
site, please"? As opposed to the current flow, which is "user sends 
POST or GET to RP with 'openid_identifier' (or whatever the RP wants 
to call it), and RP crafts URL to have user follow"? Something to 
keep in mind, anyway, if the move to a more secure process evolves a 
confirmation step with the RP to ask "Hey, did you just send a user 
my way?".

-Shade