<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">Unfortunately there isn't yet
a proposed standard or best-practice for doing this. I do have a
couple questions/comments....<br>
<br>
1. Are you thinking about passing the openid to the remote site via the
browser? or via a direct call from the main site to the remote site?
This latter method I don't think will work because the remote site will
have no way (it can't redirect the browser) to authenticate the user
(and get attribute data or whatever). However, invoking all the remote
sites from the main site via the browser will not provide the best user
experience as the user's browser will be doing a lot of re-directing:)<br>
<br>
2. It would be cool if as part of the main site authentication, the
main site could retrieve an "authentication token" (SAML?) that could
be used for direct remote site invocations. The remote site could
validate the "authentication token" and if valid, perform the necessary
operations. However, this does make the user consent model slightly
more difficult.<br>
<br>
3. </font><font face="Helvetica, Arial, sans-serif">Another minor
issue, is that
the main site should really ask the user before passing the user's
identifier to the remote sites because that identifier is a correlation
handle between all the remote sites that are accessed. It could also
be the case, that the identifier the user used at the remote site is
different from the identifier used at the main site. The user would
probably know which identifier to use where, and it's possible the OP
might know as well... but I don't see how the main site could know.<br>
<br>
Of course, not all use cases are affected by these issues.<br>
</font><font face="Helvetica, Arial, sans-serif"><br>
Thanks,<br>
George<br>
</font><br>
Pat Cappelaere wrote:
<blockquote cite="midC20AEB90.225C5%25pat@cappelaere.com" type="cite">
<pre wrap="">Is there a proposed standard or best-practice to pass along openid
information to web services that can be accessed across other domains?'
Example:
User logs on to main site.
User performs some action (distributed search for example)
Main site accesses web services across many remote sites on behalf of user.
Might be nice to have something like:
<a class="moz-txt-link-freetext" href="http://www.example.com/service?openid=xxx">http://www.example.com/service?openid=xxx</a>
Remote site should be able to validate user and even access user profile
information (if user agrees, of course)
Thanks,
Pat.
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
</body>
</html>