[OpenID] Autologin?

Mark Wyszomierski markww at gmail.com
Mon Jun 22 13:41:08 UTC 2009 

Hi Andrew and Pete,
Thanks for your answers. That makes sense. I'm developing using google web
toolkit (GWT) wth PHP as my backend. Two questions on this though:

1) If the user authenticates once with their OP, then hits "allow this site
to remember me", I guess I'm returned some info from the OP about that
decision. So then I would write a cookie about their decision. What would I
include in the cookie - just their OpenID username/url right? That way when
they visit my site again, I grab the name from the cookie, then just run the
login service again immediately?

2) OpenID looks good and would work well for my webapp, but I also wanted to
make a thick-client for both iPhone and Android - I don't see how I would
use OpenID there - I definitely don't want to have two authentication
systems, one for web users, another for the phone clients, but it looks like
this is kind of what I would need to do? I would think that if I tried using
OpenID on the cell phones, users would think I'm trying to steal their gmail
etc account info?

Thanks,
Mark


On Mon, Jun 22, 2009 at 9:30 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:

> Hi Mark,
> A user's first visit to your site will never be able to auto-login based on
> their Google account.  The user must first explicitly log in, including
> seeing the Google UI whether by redirect or popup, in order for Google to
> know that the user trusts your site enough to log in.  From that point on
> (assuming the user left "allow this site to remember me" checked), you can
> auto-login that user on that computer by leaving a persistent cookie that
> hints to your site that they're a google user and then you can use OpenID's
> checkid_immediate with AJAX to do the background login.  That's roughly what
> Facebook is doing.  I wouldn't say it's a polished user experience yet
> though.
>
> Out of curiosity, what's your web platform?
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> On Sun, Jun 21, 2009 at 10:41 PM, Mark Wyszomierski <markww at gmail.com>wrote:
>
>> Hi,
>> I'm trying to integrate OpenID into my webapp, but it's working a little
>> differently than I expected.
>>
>> 1) When a new user comes to my site, I have to authenticate them - this
>> means they need to either get redirected to their provider, or the provider
>> needs to have a popup window capability for authentication while still at my
>> site. The redirect is a little jarring, the popup is better, but does anyone
>> find that some users are confused by it/think it's a phishing deal?
>>
>> 2) After authentication is complete, I can write my own session cookie so
>> that if the user revisits my site, I can try to automatically log them back
>> in to my app without re-authenticating through openid. I heard about this
>> Facebook/Google deal where if you're logged into gmail, somehow you're
>> already authenticated for Facebook. If this is true, how would this work?
>> When I first started looking at OpenID, I was hoping the same could work for
>> my webapp. Since most users are logged into gmail anyway, when they visit my
>> site, I could see them as already authenticated with Google and skip step
>> #1? This would be similar to an auto-login.
>>
>> Thanks for any info
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090622/f3b52548/attachment.htm>

More information about the general mailing list