[OpenID] Can all Relying Party accept OpenID Provider's Responding without Requesting Authentication?
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Sep 8 19:48:08 PDT 2008
>Can all Relying Party accept OpenID Provider's Responding
>withoutRequesting Authentication?
I assume you're referring to when the user arrives at their OP with a
specially crafted URL string akin to the one they would receive from
a Relying Party when initiating login?
No. My tests (using openidenabled.com's PHP library for the Relying
Party and siege.org's phpMyID library for the OpenID Provider)
revealed that this is possible, so I explicitly coded around it to
prevent that. So, while yes it may quite well be possible with many
Relying Parties, no it is not possible on them ALL.
>It is good for relying party , because OpenID Provider can bring
>pageview to Relying Party.
Keep in mind that the OpenID Provider isn't actually making any GET
requests to the Relying Party - it's crafting the GET strings that it
redirects a user to the Relying Party with, but it doesn't make a
request on its own. It may bring pageviews to the OpenID Provider,
because the Relying Party will be checking with the OpenID Provider
to make sure the user's claims are true.
By the way, if you're still dealing with people to whom pageview is
important enough to be worth cheating on (by counting pages visited
during the login process), you might want to show them this data:
http://evhead.com/2006/08/pageviews-are-obsolete.asp
http://www.micropersuasion.com/2006/12/the_iminent_dem.html
But then again, maybe not - are these people the kind that would
engage in a display of gratitude for bringing it to their attention
or blame you for not saying something earlier?
-Shade
More information about the general
mailing list