[OpenID] Autologin?

Andrew Arnott andrewarnott at gmail.com
Mon Jun 22 13:30:30 UTC 2009 

Hi Mark,
A user's first visit to your site will never be able to auto-login based on
their Google account.  The user must first explicitly log in, including
seeing the Google UI whether by redirect or popup, in order for Google to
know that the user trusts your site enough to log in.  From that point on
(assuming the user left "allow this site to remember me" checked), you can
auto-login that user on that computer by leaving a persistent cookie that
hints to your site that they're a google user and then you can use OpenID's
checkid_immediate with AJAX to do the background login.  That's roughly what
Facebook is doing.  I wouldn't say it's a polished user experience yet
though.

Out of curiosity, what's your web platform?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Sun, Jun 21, 2009 at 10:41 PM, Mark Wyszomierski <markww at gmail.com>wrote:

> Hi,
> I'm trying to integrate OpenID into my webapp, but it's working a little
> differently than I expected.
>
> 1) When a new user comes to my site, I have to authenticate them - this
> means they need to either get redirected to their provider, or the provider
> needs to have a popup window capability for authentication while still at my
> site. The redirect is a little jarring, the popup is better, but does anyone
> find that some users are confused by it/think it's a phishing deal?
>
> 2) After authentication is complete, I can write my own session cookie so
> that if the user revisits my site, I can try to automatically log them back
> in to my app without re-authenticating through openid. I heard about this
> Facebook/Google deal where if you're logged into gmail, somehow you're
> already authenticated for Facebook. If this is true, how would this work?
> When I first started looking at OpenID, I was hoping the same could work for
> my webapp. Since most users are logged into gmail anyway, when they visit my
> site, I could see them as already authenticated with Google and skip step
> #1? This would be similar to an auto-login.
>
> Thanks for any info
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090622/c7c8ca18/attachment.htm>

More information about the general mailing list