[OpenID] The "keep context" problem
Chris Drake
christopher at pobox.com
Mon Jun 25 08:46:49 UTC 2007
Monday, June 25, 2007, 5:04:17 PM, you wrote:
MA> Chris Drake wrote:
>>
>> I proposed a solution for this last year - if anyone's interested,
>> I'll re-iterate. In a nutshell, it requires RPs to publish endpoints
>> better ("reverse resolution") so that scripts and browser agents can
>> accomplish the "Single" bit of "SSO" automatically.
>>
MA> For most purposes, it's sufficient for the RP to simply remember (e.g.
MA> in a cookie) what the user last logged in as and attempt that
MA> authentication quietly in the background when they next visit.
While that would be possible, I think it's better for the solution to
be in the protocol, since greater control can be given to users: some
people won't want this (eg: if using shared machines), some RPs won't
want it (eg: banks), and if the IdP handles it - other benefits arise
as well (eg: 1-click single-sign-up account-creation and all the
exciting adoption and marketing/peering opportunities that go with
it).
Basically - forcing thousands/millions of RPs to roll their own cookie
ideas to offer the "Single" bit of "SSO" to OpenID users seems
misplaced to me.
MA> This is roughly the approach employed by Jyte, which I think is
MA> one of the best RP implementations I've seen so far.
My point emphasized - thanks! RPs should not have to expend
development efforts! Aside from the wasted redundant efforts and
disjoint user experiences this creates, it also introduces security
problems. For example - How do I "log out" of every OpenID site I've
used over my last hour at an Internet Cafe ? Or do I just have to
take my chances that the next customers don't visit Jyte or any
other homebrew RP who didn't realize that OpenID doesn't have such a
feature yet?
More information about the general
mailing list