[OpenID] How to prove identity without leaving RP?

Jean-Noel Colin jn.colin at gmail.com
Wed Apr 9 04:19:59 UTC 2008 

thanks.
in this scenario, user first visits the OP; what I had in mind is  
more: is it possible for a user to submit his credentials directly on  
the RP page (even if the login form is an iframe to the OP or any  
other 'clever' mechanism)

Personally, I don't think submitting credentials from the RP is a good  
idea, and would even be a security breach of the model, IMHO. But it  
seems that our usability people consider that as a plus.

Jean-Noel

On 08 Apr 2008, at 22:54, Peter Williams wrote:
> User logs on to OP, e.g. openid.trustbearer.com/jean-noel.
>
> User clicks on link on OP page, to visit RP page.
>
> RP landing Page detects no session cookie and thus uses javascript  
> to allocate a new (separately scheduled) HTTPRequest class, which  
> asynchronously rediects itself to the OP using OpenID auth  
> parameters (and an existing association with the OP, determined  
> perhaps from the HTTP fields or the user id). The OP responds with a  
> redirect, based of the fact that the user has existing session on  
> the OP. The RP event andling system signals the HTTP object, whose  
> javascript allows landing page login event to fire and continue to  
> post-login pages.
>
> From: Jean-Noel Colin
> Sent: Tue 4/8/2008 12:10 PM
> To: general at openid.net
> Subject: [OpenID] How to prove identity without leaving RP?
>
> Hi
>
> The OpenID Auth 2.0 specs mention in the abstract that it should be
> possible for an end user to 'prove their identity to a relying party
> without having to leave their current web page'.
>
> Of course, this sounds more user-friendly than sending the user to the
> OP's page to authenticate, then back to the RP's page.
>
> However, I don't quite understand how this is technically feasible.
> The specs mention AJAX-style setup
>
> Another unclear statement is found later in the doc: "An example of a
> situation where interaction between the end user and the OP is not
> desired is when the authentication request is happening asynchronously
> in JavaScript." How is this possible?
>
> Thanks a lot for clarifying this
>
> Best regards
>
> Jean-Noel Colin
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080409/663b705b/attachment-0002.htm>

More information about the general mailing list