[OpenID] The difference between "Allow Once" and "Allow Forever" when logging in for the first time

John Bradley ve7jtb at ve7jtb.com
Fri Jan 7 15:35:07 UTC 2011 

If you tell your OP (claimedID) to trust the RP then you will not get prompted with the warning that you are logging into that site by your OP the next time you log in to the site.

If you stay logged in to your OP like many people do with Google and other OP, then the RP can use a special openID flow to log you into their site without you being prompted by your OP each time.

Facebook used that flow for there RP.   

In all cases if you are not logged into your OP you will be prompted.   
This is for the case where you are already logged in to the OP.

Saying yes to the question cuts out a step for sites that you return to on a regular basis.

The reason for the prompt is that it keeps sites you don't intend to log into from sending the same message and getting your openID without your knowledge.

John B.
On 2011-01-07, at 3:24 AM, Jason Spiro wrote:

> Hi all,
> 
> Thanks for designing OpenID.  I'm an Internet user and would like help
> understanding the difference between providers' "Allow Once" and "Allow Forever"
> buttons.
> 
> Today, I went to www.superuser.com -- which is a sort of web forum.  I'd never
> contributed to superuser.com.  When I tried to contribute, it asked me to log in
> or register.  I entered my OpenID, which is http://claimid.com/jasonspiro . 
> This took me to https://openid.claimid.com/login which asked me to type in my
> ClaimID.com username and password, which I did.
> 
> Now for the confusing part.  It showed me the following question.
> 
>    You're about to log in to http://superuser.com/users/authenticate/ (sweet!)
> 
>    Click Log In or Log In and Trust to log in to
> http://superuser.com/users/authenticate/.
>    (Log In and Trust adds this site to your list of trusted sites.)
> 
>    [ Log In ]  [ Log in and Trust ]  [ Cancel ]
> 
> I had no idea whether to Trust or not.  ClaimID.com is definitely not as easy to
> use as it could be, since ClaimID.com didn't explain to me what "trust" means,
> and even a Google search for [ claimid "log in and trust" ] didn't help.  Now,
> having done more research, it seems to me that ClaimID's "Log In" is like a few
> other OpenID providers' "Allow Once" button, and "Log In and Trust" is like
> their "Allow Forever" button.
> 
> But what do "Allow Once" and "Allow Forever" do?  Having spent more time
> researching this than I'd like, I found a wiki page[1] by Evan Prodromou.  The
> wiki page seems to me to mean that "Allow Once" lets superuser.com find out
> information that I've shared with ClaimID, like my current name, email address,
> and the city where I live, but only lets superuser.com find it out once.  "Allow
> Forever" will let superuser.com find out my current name, email address, and
> city, and if I change my name, email address, or city that I have stored on file
> with ClaimID, superuser.com can get updates.  And this is the only difference
> between the two buttons.
> 
> Is my understanding, as I've explained it in the preceding paragraph, correct?
> 
> Also, why does it seem that many major OpenID providers don't provide a "Help"
> link right next to the "Allow Once" and "Allow Forever" buttons that tells me
> what the difference between the buttons is?
> 
> Thanks in advance,
> -Jason
> 
> ^  [1].  http://evan.prodromou.name/OpenID_Privacy_Concerns
> 
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110107/d705e437/attachment.bin>

More information about the general mailing list