<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">thanks.<div>in this scenario, user first visits the OP; what I had in mind is more: is it possible for a user to submit his credentials directly on the RP page (even if the login form is an iframe to the OP or any other 'clever' mechanism)</div><div><br></div><div>Personally, I don't think submitting credentials from the RP is a good idea, and would even be a security breach of the model, IMHO. But it seems that our usability people consider that as a plus.</div><div><br></div><div>Jean-Noel</div><div><br><div>On 08 Apr 2008, at 22:54, Peter Williams wrote:<br class="Apple-interchange-newline"><blockquote type="cite"><div> <div id="idOWAReplyText61136" dir="ltr"> <div dir="ltr"><font face="Arial" color="#000000" size="2">User logs on to OP, e.g. openid.trustbearer.com/jean-noel. </font></div> <div dir="ltr"><font face="Arial" color="#000000" size="2"></font> </div> <div dir="ltr"><font face="Arial" color="#000000" size="2">User clicks on link on OP page, to visit RP page.</font></div> <div dir="ltr"><font face="Arial" size="2"></font> </div> <div dir="ltr"><font face="Arial" size="2">RP landing Page detects no session cookie and thus uses javascript to allocate a new (separately scheduled) HTTPRequest class, which asynchronously rediects itself to the OP using OpenID auth parameters (and an existing association with the OP, determined perhaps from the HTTP fields or the user id). The OP responds with a redirect, based of the fact that the user has existing session on the OP. The RP event andling system signals the HTTP object, whose javascript allows landing page login event to fire and continue to post-login pages.</font></div></div> <div id="idSignature95544"><font face="Arial"></font><br> <hr tabindex="-1"> <font face="Tahoma" size="2"><b>From:</b> Jean-Noel Colin<br><b>Sent:</b> Tue 4/8/2008 12:10 PM<br><b>To:</b> <a href="mailto:general@openid.net">general@openid.net</a><br><b>Subject:</b> [OpenID] How to prove identity without leaving RP?<br></font><br></div> <div><pre style="WORD-WRAP: break-word">Hi
The OpenID Auth 2.0 specs mention in the abstract that it should be
possible for an end user to 'prove their identity to a relying party
without having to leave their current web page'.
Of course, this sounds more user-friendly than sending the user to the
OP's page to authenticate, then back to the RP's page.
However, I don't quite understand how this is technically feasible.
The specs mention AJAX-style setup
Another unclear statement is found later in the doc: "An example of a
situation where interaction between the end user and the OP is not
desired is when the authentication request is happening asynchronously
in JavaScript." How is this possible?
Thanks a lot for clarifying this
Best regards
Jean-Noel Colin
_______________________________________________
general mailing list
<a href="mailto:general@openid.net">general@openid.net</a>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre></div></div></blockquote></div><br></div></div></body></html>