[OpenID] Sharing OpenID between sites (and APIs)

[Tan, William]

Eran Sandler wrote:
> William,
>
> Most sites will probably be able to do that anyway because even after a user
> signs in with an OpenID most sites will set some form of an authentication
> cookie so the user won't have to be verified again (even if it means to
> verify the user through the OpenID server again).
> This is something that already exists in most sites and that's not the main
> problem (if I understand what Johannes Ernst wrote)
>   
Right.

> I think that main "problem" here is that in assets control by a single
> party, like Google, moving between Blogger/Gmail allows you to get a single
> authentication from the nature of cookies being domain bounded (so cookies
> are out of the question for that).
>
> Unless a more interesting approach/idea/whatever is taken for OpenID, moving
> between sites without authenticating at least once (and hopefully use the
> "remember me" feature) will not work.
>   
Ok, so you are visiting a new RP who has never seen you before? The only 
reason Blogger/Gmail works is that they only work with a single IdP. 
That is indeed tricky.

However, an RP (or OP) wouldn't randomly link to another site giving it 
the openid_url of the logged in user since that would be a huge security 
concern. I assume the use case is for keeping the user logged in within 
affiliated sites only, kind of like moving between gmail and gcalendar 
or something like that.

If the first RP that appends the openid_url parameter can be certain 
that the target will process it and then redirect away to a URL with no 
private information, then that's fine.


=wil