[OpenID] OpenID and webmail

Peter Williams pwilliams at rapattoni.com
Fri Sep 7 14:45:38 UTC 2007 

Isn't  this what I was doing with idp proxing? Openid auth flow that invokes and waits on an sp-initiated saml flow as its means of completing local user auth.

User logs on to aol.

User links out to webmail, cites aol openid. Webmail thread on aol connection acesses imap (citing openid)

Imap server connection block spawns http thread, invoking discovery which identifies webmail as a op. Thread invokes openid auth with webmaił - which as op Must do user auth (locally defined, by spec).

Webmail local auth decides to proxy. It therefore does new discovery, and openid auth with aol. As op,aol does local user auth. Aol  starts a cascade of responses:

Positive assertion 1 aol to webmail
Positive assertion 2 webmail to imap

This assumes the imap server has an openid endpoint, of course. Once imap session exists, webmail imap client endpoint pulls mbox over imap into its own user mailstore. Additiional openid token/extensions from aol grant user access to services in the webmail message store (e.g.s/mime decryption of message content)

What part of the problem makes such op proxing inappropriate? I believe - in the saml-based websso world - vendors have formal compliance tests on the idp proxing feature set of the protocol. Back to back op proxing via openid auth chaining (via solicited auth) would seem to be the exact same flow pattern.

-----Original Message-----
From: "Webtech" <webtech at get-telecom.fr>
To: "general at openid.net" <general at openid.net>
Sent: 9/7/07 2:15 AM
Subject: [OpenID] OpenID and webmail

Hi,

when you use OpenID with a webmail who need access to an IMAP server, 
you've a problem : you don't have the user password.
For example, you're logged in a web application WEB1, you open the 
webmail WEB2 without authentication, but the webmail needs user an d 
password for IMAP authentication...

Using CAS, there's a solution with "proxy CAS" and proxy tickets, but I 
haven't found similar solution with OpenID.

Is there someone to help me ?

Thanks.



_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list