[OpenID] Sharing OpenID between sites (and APIs)

Eran Sandler eran at sandler.co.il
Mon Jan 29 08:12:06 UTC 2007


Most sites will probably be able to do that anyway because even after a user
signs in with an OpenID most sites will set some form of an authentication
cookie so the user won't have to be verified again (even if it means to
verify the user through the OpenID server again).
This is something that already exists in most sites and that's not the main
problem (if I understand what Johannes Ernst wrote)

I think that main "problem" here is that in assets control by a single
party, like Google, moving between Blogger/Gmail allows you to get a single
authentication from the nature of cookies being domain bounded (so cookies
are out of the question for that).

Unless a more interesting approach/idea/whatever is taken for OpenID, moving
between sites without authenticating at least once (and hopefully use the
"remember me" feature) will not work.

The only idea I can come up with besides appending things on a URL is to use
some kind of a 3rd party plugin (I would even shamelessly say Java at this
point ;-) ) that the site could talk to using JavaScript to determine the
OpenID of the current user.
Perhaps a FireFox plugin that do have access to the set of cookies (I don't
know if it is possible having never written a FireFox plugin before)
contained in the browser should do that (if you preconfigure it to search
for cookies from your OpenID server).

It is, however, a problem that would be very interesting to solve and would
greatly help everyone with OpenID.


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Tan, William
Sent: Monday, January 29, 2007 3:54 AM
To: Johannes Ernst
Cc: general at openid.net
Subject: Re: [OpenID] Sharing OpenID between sites (and APIs)

There are privacy concerns here. If someone clicks on a link on the page 
with an openid_url=ID or lid=ID query parameter, it will show up in the 
referrer log of the target site. While it's not a password, it's still 
valuable information identifying the user.

Can't the RP implement a long-lived cookie that remembers the user, so 
that when a user revisits the site after a few days it'll check if the 
user is logged on at the IdP?


Johannes Ernst wrote:
> That's what the NetMesh code has been doing for about two years now.  
> It's rather handy for things like bookmarking a pair of page URL and  
> identity of user, not just page URL, so the bookmark is "show me this  
> page with me as owner" vs "show me this page as anonymous" vs. ...
> In our implementation, having an empty value for this parameter  
> (called lid= in our case) means "anonymous".
> On Jan 27, 2007, at 8:38, Stephen Paul Weber wrote:
>> Hello everyone :)
>>    I've been thinking a lot about the problem of having to sign in
>> with your OpenID at every site (unlike other, close, single sign on
>> where going to, say, Blogger when logged in at GMail automatically
>> logs you in).  This also applies to data-sharing between sites in an
>> authenticated API style.
>>    Basically, I think it makes sense for every page on an
>> OpenID-enabled site to accept ?openid_url=ID, instead of only the
>> login page.
>>    See my article for more :
>> <http://singpolyma-tech.blogspot.com/2007/01/openid-as-true-single- 
>> signon.html>
>>       Thoughts?
>> -- 
>> - Stephen Paul Weber, singpolyma.net
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

general mailing list
general at openid.net

More information about the general mailing list