Login Federation

John Ehn john at extremeswank.com
Mon Feb 18 16:41:18 UTC 2008


This can be pretty easily done by piggy-backing on the Attribute Exchange
extension.  Have your OpenID Provider store a "IsLoggedIn" variable.  When
the value is updated, the OpenID Provider can update all the websites
subscribing to the value.

The tricky part is having the web browser be automatically identifiable from
all of these supported sites.  My first thought would be:

* Store and send out the value in of the IsLoggedIn variable to all the
websites
* Give the browser multiple session cookies that are visible from each of
the websites that the values was sent to, which contains a hash of the value
plus the website URL.
* When the website sees the cookie, it can take the cookie, generate and
compare the hash.  If the hashes match, automatically do an OpenID login
* When the user logs out at the OpenID Provider, AX will update all
subscribing websites, thereby logging the user out of all sites

Although, I believe most web browsers won't let you store cookies that are
visible from multiple sites.  Perhaps someone more familiar with these
mechanics and chip in?  Maybe somehow detect the web browser's "signature"
without involving any functionality in the browser itself?

Thanks,

John Ehn
extremeswank.com

On 2/18/08, Martin Paljak <martin at paljak.pri.ee> wrote:
>
>
> On Feb 18, 2008, at 5:11 PM, McGovern, James F (HTSC, IT) wrote:
> > Likewise, I would think that for automatic signon, it would be a good
> > thing if the OpenID provider could tell the relying party how long to
> > leave an otherwise idle session open before timing it out. Not sure if
> > this would require an extension or not.
>
> expires_in from
> http://openid.net/specs/openid-authentication-2_0.html#anchor20
> should do exactly this.
>
> m.
> --
> Martin Paljak
> http://martin.paljak.pri.ee
> +3725156495
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080218/e2c6287d/attachment-0002.htm>


More information about the specs mailing list