Use Case: should RPs remember identifiers?

Johannes Ernst jernst+openid.net at netmesh.us
Mon Nov 27 17:30:18 UTC 2006 

Using the now several different MediaWiki OpenID extensions in  
existence prompted me to write this use case. Anybody agree or  
disagree on what they desired behavior is here?

1. Alice is an administrator of wiki wiki.example.com, which supports  
OpenID. She is responsible for rolling back wiki spam. To rollback  
wiki spam, she needs to be authenticated as an administrator on this  
wiki.
2. To make things easy on herself, she bookmarks wiki.example.com/ 
wiki/Special:Recentchanges, (the list of recent changes on the wiki)  
for a quick and frequent check on potential spam. She typically  
visits this page once a day.
3. When Alice discovers a change that might be spam, she performs a  
"diff" of the revisions in question and examines the change that was  
made. If it was spam, she clicks on "rollback" -- the button that is  
displayed on "diff pages" by MediaWiki, if the current user is  
authenticated as an administrator

Here are the different implementations that I have seen:

A. WIthout OpenID, MediaWiki remembers Alice's session for some time  
(<<1 day). Thus, in order to perform this use case once a day, Alice  
must re-enter her MediaWiki user name and password every time she  
wishes to remove spam.

B. With the OpenID plugin on openid.net/wiki, or the OpenID plugin at  
iiw.windley.org, Alice must re-enter her OpenID identifier every time  
she checks on spam. (Session duration seems to be similar/the same as  
in case of (A)). Assuming she has a valid session at her OpenID  
identity provider, this is potentially more convenient than (A), but  
not by much.

C. In the NetMesh implementation (e.g. yadis.org), we store the  
OpenID identifier in a long-term cookie. When Alice's session is  
expired, the relying party (the wiki) automatically performs the  
redirect dance with the identifier stored in the cookie. The result:  
Alice does not need to re-enter anything, but -- assuming she has a  
valid session at her OpenID identity provider -- she is automatically  
authenticated.

I would argue that (C) is better at meeting the needs of Alice than  
(A) or (B). Certainly, for Alice == me, experience over recent weeks  
has shown that to be true and that's why I am bringing this up. (I  
have bookmarked the recent changes of openid.net/wiki, yadis.org,  
lid.netmesh.org, and a few others, and openid.net/wiki requires me to  
do a lot of repetitive stuff that I don't really want to do).





Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061127/ce36813b/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061127/ce36813b/attachment-0005.gif>
-------------- next part --------------
  http://netmesh.info/jernst

More information about the user-experience mailing list