<div>I was reading the RP best practices on the OpenID wiki and was particularly interested <a href="http://wiki.openid.net/Relying-Party-Best-Practices#StoreprimaryOpenIDinacookieandcheckimmediateatnextsession">its suggestion to use persistent cookies for the identifier</a> rather than the actual user authentication ticket. The idea being that each user visit to the site invokes a checkid_immediate message to the OP to see if the user is still logged into the OP, and if so, the RP "resumes" the user's login session, otherwise the user must log in again. The persistent cookie stores the identifier that is used to send the checkid_immediate message.</div>
<div><br></div><div>I've heard some reactions by users who were new to OpenID that were surprised that logging out of the OP didn't automatically log them out of the RPs. I know we've had several "single-sign-out" threads on this list, and this seems like it would solve it with no change to the OpenID spec. </div>
<div><br></div><div>I've never seen an OpenID RP actually behave this way, however. It does seem to introduce some new problems. For example, if the RP sends the user on a checkid_immediate redirect as soon as the user returns to the RP and the OP happens to be down, the user is effectively locked out of the RP because the OP won't return the user to the RP. To use a hidden iframe at the RP to attempt the checkid_immediate could result in something like the Facebook auto-login experience where the user sees the Facebook login page for a few seconds and then is automatically dragged into his account, which met with some "what the heck just happened?" questions from users.</div>
<div><br></div><div>I'm building a feature into DotNetOpenAuth that will help RPs to use this behavior, but I'm just wondering if anyone else has scouted out this territory and have any suggestions. I think the approach I'm going to start with is the full-window redirect using checkid_immediate, but I'll only try it at the user's <i>first</i> request for a session, so that if the OP doesn't return the user and the user tries visiting the RP again, the second attempt will succeed and the user will just have to log in explicitly (presumably using another OP).</div>
<div><br></div><div>What do you all think?</div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>