[OpenID] Autologin?

Andrew Arnott andrewarnott at gmail.com
Mon Jun 22 13:48:57 UTC 2009 

OpenID works on mobile phones if it's a web app.  For installed applications
(whether desktop or mobile) OpenID doesn't work on the client.  There have
been creative ways suggested of making it work, but typically
OAuth<http://oauth.net>is how to enable the installed app scenario.
When you're using OAuth there,
the installed app doesn't really care how the user authenticates to your
site (so you can still use OpenID there if you want), yet it allows that app
to access some user's private data at the web site/service.
If you haven't heard of OAuth, rather than giving you a rundown here, I
suggest you read up on the link and then hit the oauth at googlegroups.com list
with follow-up questions.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Mon, Jun 22, 2009 at 6:41 AM, Mark Wyszomierski <markww at gmail.com> wrote:

> Hi Andrew and Pete,
> Thanks for your answers. That makes sense. I'm developing using google web
> toolkit (GWT) wth PHP as my backend. Two questions on this though:
>
> 1) If the user authenticates once with their OP, then hits "allow this site
> to remember me", I guess I'm returned some info from the OP about that
> decision. So then I would write a cookie about their decision. What would I
> include in the cookie - just their OpenID username/url right? That way when
> they visit my site again, I grab the name from the cookie, then just run the
> login service again immediately?
>
> 2) OpenID looks good and would work well for my webapp, but I also wanted
> to make a thick-client for both iPhone and Android - I don't see how I would
> use OpenID there - I definitely don't want to have two authentication
> systems, one for web users, another for the phone clients, but it looks like
> this is kind of what I would need to do? I would think that if I tried using
> OpenID on the cell phones, users would think I'm trying to steal their gmail
> etc account info?
>
> Thanks,
> Mark
>
>
> On Mon, Jun 22, 2009 at 9:30 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:
>
>> Hi Mark,
>> A user's first visit to your site will never be able to auto-login based
>> on their Google account.  The user must first explicitly log in, including
>> seeing the Google UI whether by redirect or popup, in order for Google to
>> know that the user trusts your site enough to log in.  From that point on
>> (assuming the user left "allow this site to remember me" checked), you can
>> auto-login that user on that computer by leaving a persistent cookie that
>> hints to your site that they're a google user and then you can use OpenID's
>> checkid_immediate with AJAX to do the background login.  That's roughly what
>> Facebook is doing.  I wouldn't say it's a polished user experience yet
>> though.
>>
>> Out of curiosity, what's your web platform?
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - S. G. Tallentyre
>>
>>
>> On Sun, Jun 21, 2009 at 10:41 PM, Mark Wyszomierski <markww at gmail.com>wrote:
>>
>>> Hi,
>>> I'm trying to integrate OpenID into my webapp, but it's working a little
>>> differently than I expected.
>>>
>>> 1) When a new user comes to my site, I have to authenticate them - this
>>> means they need to either get redirected to their provider, or the provider
>>> needs to have a popup window capability for authentication while still at my
>>> site. The redirect is a little jarring, the popup is better, but does anyone
>>> find that some users are confused by it/think it's a phishing deal?
>>>
>>> 2) After authentication is complete, I can write my own session cookie so
>>> that if the user revisits my site, I can try to automatically log them back
>>> in to my app without re-authenticating through openid. I heard about this
>>> Facebook/Google deal where if you're logged into gmail, somehow you're
>>> already authenticated for Facebook. If this is true, how would this work?
>>> When I first started looking at OpenID, I was hoping the same could work for
>>> my webapp. Since most users are logged into gmail anyway, when they visit my
>>> site, I could see them as already authenticated with Google and skip step
>>> #1? This would be similar to an auto-login.
>>>
>>> Thanks for any info
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090622/bb5d2afa/attachment.htm>

More information about the general mailing list