[OpenID] OpenID and webmail

George Fletcher gffletch at aol.com
Fri Sep 7 19:50:10 UTC 2007 

If I understood correctly, this chaining should work... except that it 
makes the IMAP server have to know about OpenID and speak the OpenID 
protocol.  If the IMAP server is doing that, it could just do a 
check_immediate on the OpenID passed to it via the IMAP protocol and get 
a valid assertion back from the OP. The IMAP server would then know the 
user is authenticated and could return the mail via the IMAP connection.

Of course, this also implies some level of identifier federation between 
the OpenID and the email identifier.

It would be great if the webmail app could get some authentication token 
it could pass to the IMAP server in place of the password that the IMAP 
server would trust.  There are a few OpenID extension efforts in this 
area but no consensus yet.

Thanks,
George

Peter Williams wrote:
> Isn't  this what I was doing with idp proxing? Openid auth flow that invokes and waits on an sp-initiated saml flow as its means of completing local user auth.
>
> User logs on to aol.
>
> User links out to webmail, cites aol openid. Webmail thread on aol connection acesses imap (citing openid)
>
> Imap server connection block spawns http thread, invoking discovery which identifies webmail as a op. Thread invokes openid auth with webmaił - which as op Must do user auth (locally defined, by spec).
>
> Webmail local auth decides to proxy. It therefore does new discovery, and openid auth with aol. As op,aol does local user auth. Aol  starts a cascade of responses:
>
> Positive assertion 1 aol to webmail
> Positive assertion 2 webmail to imap
>
> This assumes the imap server has an openid endpoint, of course. Once imap session exists, webmail imap client endpoint pulls mbox over imap into its own user mailstore. Additiional openid token/extensions from aol grant user access to services in the webmail message store (e.g.s/mime decryption of message content)
>
> What part of the problem makes such op proxing inappropriate? I believe - in the saml-based websso world - vendors have formal compliance tests on the idp proxing feature set of the protocol. Back to back op proxing via openid auth chaining (via solicited auth) would seem to be the exact same flow pattern.
>
> -----Original Message-----
> From: "Webtech" <webtech at get-telecom.fr>
> To: "general at openid.net" <general at openid.net>
> Sent: 9/7/07 2:15 AM
> Subject: [OpenID] OpenID and webmail
>
> Hi,
>
> when you use OpenID with a webmail who need access to an IMAP server, 
> you've a problem : you don't have the user password.
> For example, you're logged in a web application WEB1, you open the 
> webmail WEB2 without authentication, but the webmail needs user an d 
> password for IMAP authentication...
>
> Using CAS, there's a solution with "proxy CAS" and proxy tickets, but I 
> haven't found similar solution with OpenID.
>
> Is there someone to help me ?
>
> Thanks.
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-- 
Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher at corp.aol.com
AOL LLC                           Home: gffletch at aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com

More information about the general mailing list