[OpenID] How to prove identity without leaving RP?
Peter Williams
pwilliams at rapattoni.com
Wed Apr 9 21:40:05 UTC 2008
I saw that myopenid had sensibly offered its sign-in-first model (i.e. Whether you link out or not form said site, assert you have a session on the op). Just as openid is a variant of the sp-initiated websso flow, sign-in impements the "ispassive control". That is, the rp can expect to obtain a secure signal from the op that the op/user session pre-exists.
-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Wednesday, April 09, 2008 1:48 PM
To: general at openid.net <general at openid.net>
Subject: Re: [OpenID] How to prove identity without leaving RP?
>in this scenario, user first visits the OP; what I had in mind is
>more: is it possible for a user to submit his credentials directly
>on the RP page (even if the login form is an iframe to the OP or any
>other 'clever' mechanism)
Maybe a pop-up window? But that doesn't neatly fit the "never leaving
that page" idea. I'd consider it safe if you were using a password
that only applied to THAT site (so a malicious site couldn't use the
credentials even if it stole them), but that sort of destroys the
whole single-sign-on idea :)
-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list