[OpenID] Sharing OpenID between sites (and APIs)

Eran Sandler eran at sandler.co.il
Mon Jan 29 18:05:57 UTC 2007

George, you are correct, and perhaps I didn't say it before, but this was
considering the fact that I already signed up to these sites using OpenID.


So if I'm signed up with OpenID (specifically the same one) to LiveJournal
and to Zooomr I will be able to switch between the two seamlessly as long as
I'm authenticated at my OpenID server.

The trick that I was referring to is to overcome the limitation of cookies
being bound to a domain.


Having a plugin like Sxipper is great but it's a plugin and people need to
download and install it and if we want OpenID to get to a greater audience
perhaps things like the planned integration with FireFox 3.0 is the way to
go (though I haven't read any of its details yet).




From: George Fletcher [mailto:gffletch at aol.com] 
Sent: Monday, January 29, 2007 7:42 PM
To: Tan, William
Cc: Eran Sandler; general at openid.net
Subject: Re: [OpenID] Sharing OpenID between sites (and APIs)



As a user I don't want my OpenID propagated to another site for
Single-Sign-on without the option to determine whether I want to be
authenticated at that site or not.  Just because I can be authenticated at a
site (e.g. digg or slashdot) doesn't mean I want to be.

Existing browser form fills (or the sxipper <http://www.sxipper.com>
plugin) do this already by recognizing the OpenID form field and offering to
automatically fill it in.  This means I don't have to type it in every time
and yet allows me the flexibility to determine when I want to authenticate
and when I don't.


Tan, William wrote:

However, an RP (or OP) wouldn't randomly link to another site giving it 
the openid_url of the logged in user since that would be a huge security 
concern. I assume the use case is for keeping the user logged in within 
affiliated sites only, kind of like moving between gmail and gcalendar 
or something like that.
If the first RP that appends the openid_url parameter can be certain 
that the target will process it and then redirect away to a URL with no 
private information, then that's fine.
general mailing list
general at openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070129/2037a98d/attachment-0002.htm>

More information about the general mailing list