[OpenID] Autologin?

Mark Wyszomierski markww at gmail.com
Mon Jun 22 13:52:31 UTC 2009 

Ok thanks a lot,
Mark

On Mon, Jun 22, 2009 at 9:48 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:

> OpenID works on mobile phones if it's a web app.  For installed
> applications (whether desktop or mobile) OpenID doesn't work on the client.
>  There have been creative ways suggested of making it work, but typically
> OAuth <http://oauth.net> is how to enable the installed app scenario.
>  When you're using OAuth there, the installed app doesn't really care how
> the user authenticates to your site (so you can still use OpenID there if
> you want), yet it allows that app to access some user's private data at the
> web site/service.
> If you haven't heard of OAuth, rather than giving you a rundown here, I
> suggest you read up on the link and then hit the oauth at googlegroups.comlist with follow-up questions.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> On Mon, Jun 22, 2009 at 6:41 AM, Mark Wyszomierski <markww at gmail.com>wrote:
>
>> Hi Andrew and Pete,
>> Thanks for your answers. That makes sense. I'm developing using google web
>> toolkit (GWT) wth PHP as my backend. Two questions on this though:
>>
>> 1) If the user authenticates once with their OP, then hits "allow this
>> site to remember me", I guess I'm returned some info from the OP about that
>> decision. So then I would write a cookie about their decision. What would I
>> include in the cookie - just their OpenID username/url right? That way when
>> they visit my site again, I grab the name from the cookie, then just run the
>> login service again immediately?
>>
>> 2) OpenID looks good and would work well for my webapp, but I also wanted
>> to make a thick-client for both iPhone and Android - I don't see how I would
>> use OpenID there - I definitely don't want to have two authentication
>> systems, one for web users, another for the phone clients, but it looks like
>> this is kind of what I would need to do? I would think that if I tried using
>> OpenID on the cell phones, users would think I'm trying to steal their gmail
>> etc account info?
>>
>> Thanks,
>> Mark
>>
>>
>> On Mon, Jun 22, 2009 at 9:30 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:
>>
>>> Hi Mark,
>>> A user's first visit to your site will never be able to auto-login based
>>> on their Google account.  The user must first explicitly log in, including
>>> seeing the Google UI whether by redirect or popup, in order for Google to
>>> know that the user trusts your site enough to log in.  From that point on
>>> (assuming the user left "allow this site to remember me" checked), you can
>>> auto-login that user on that computer by leaving a persistent cookie that
>>> hints to your site that they're a google user and then you can use OpenID's
>>> checkid_immediate with AJAX to do the background login.  That's roughly what
>>> Facebook is doing.  I wouldn't say it's a polished user experience yet
>>> though.
>>>
>>> Out of curiosity, what's your web platform?
>>> --
>>> Andrew Arnott
>>> "I [may] not agree with what you have to say, but I'll defend to the
>>> death your right to say it." - S. G. Tallentyre
>>>
>>>
>>> On Sun, Jun 21, 2009 at 10:41 PM, Mark Wyszomierski <markww at gmail.com>wrote:
>>>
>>>> Hi,
>>>> I'm trying to integrate OpenID into my webapp, but it's working a little
>>>> differently than I expected.
>>>>
>>>> 1) When a new user comes to my site, I have to authenticate them - this
>>>> means they need to either get redirected to their provider, or the provider
>>>> needs to have a popup window capability for authentication while still at my
>>>> site. The redirect is a little jarring, the popup is better, but does anyone
>>>> find that some users are confused by it/think it's a phishing deal?
>>>>
>>>> 2) After authentication is complete, I can write my own session cookie
>>>> so that if the user revisits my site, I can try to automatically log them
>>>> back in to my app without re-authenticating through openid. I heard about
>>>> this Facebook/Google deal where if you're logged into gmail, somehow you're
>>>> already authenticated for Facebook. If this is true, how would this work?
>>>> When I first started looking at OpenID, I was hoping the same could work for
>>>> my webapp. Since most users are logged into gmail anyway, when they visit my
>>>> site, I could see them as already authenticated with Google and skip step
>>>> #1? This would be similar to an auto-login.
>>>>
>>>> Thanks for any info
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090622/cfd1dea7/attachment.htm>

More information about the general mailing list