[OpenID] Automatic login with checkid_immediate

André Luís andreluis.pt at gmail.com
Wed May 20 23:30:23 UTC 2009 

On Wed, May 20, 2009 at 5:36 PM, Chris Messina <chris.messina at gmail.com> wrote:
> On Wed, May 20, 2009 at 9:28 AM, SitG Admin
> <sysadmin at shadowsinthegarden.com> wrote:
>>>
>>> If you're signed in to your Gmail account and you use your Gmail account
>>> as your OpenID, why wouldn't you want to automatically be signed in to all
>>> the sites that you've linked your Gmail identity to (that's rhetorical - I
>>> can think of reasons too)?
>>
>> The only one occurring to me is privacy. From a security perspective, if
>> various RP's will accept OpenID logins from the terminal you're at as having
>> your Google identity, without Google requiring further verification from the
>> user at this terminal (only PRESUMED to be you), there is no difference
>> between being logged out of a given RP and being logged back in - because
>> you still CAN log back in, or anyone with access to the same terminal can,
>> without any further verification.
>
> Two responses:
> 1. most OPs allow you to specify something like "Remember this decision" —
> which means that you don't want to be asked the next time that RP tries to
> sign you in again. This keeps this flow in your control (as
> checkid_immediate would fail).

Right, but can't we have a middle ground? I want my OP to remember my
authorization of facebook.. but I don't want to be briskly dragged
into Facebook without realizing I got in *because* I have a session
started on my openid provider.
(yes, the technical jargon need not be used, but you get the point :) )

> 2. Since you must manually associate or link your accounts, you shouldn't do
> so if you don't want the automatic sign in behavior. In other words, unless
> you've already linked your Google and Facebook account, you won't get the
> benefit of automatic sign in, so you do so intentionally.

But I want to use my session on my provider to log into facebook. I
just don't want the *automatic* part. Are you saying that if I don't
want it to automatically pull me in, just don't use openid at all?

>
> There does appear to be a need to better specify, from a user experience and
> language perspective, how to handle the "public terminal" (what I call the
> "Apple store situation") case, where the browser session might be shared or
> accessed by other people.
> Still, that's largely covered by links that say things like "Not [other
> person's name]? Sign in as a different user."
>
> This doesn't prevent someone from access your account or pretending to be
> you, but if someone wants to hack in to your account, they'll figure it out
> somehow — leaving yourself signed in accidently is probably more of an
> annoyance for someone else that wants to access her account than a real
> security issue that can be addresses technologically (besides having best
> practices around time out and stuff like that).
> Chris

Right. That I agree. But if I have 3x linked accounts on facebook, I
should be able to tell which one brought me in so that after I logout
of facebook I *know* which one I need to logout of as well.

Does this make sense?

Cheers,
--
André Luís
http://andr3.net

More information about the general mailing list