Login with another OpenID
Takeru INOUE
takeru.inoue at gmail.com
Thu Jan 17 14:19:25 UTC 2008
Hi,
I found that behavior of OPs is not defined when users re-login with a
different OpenID.
# This is a kind of single-sign-out issue, but is easier to solve it
since just focused on "re-login."
Let me show a simple scenario on this issue:
1. a user logins to a RP with OpenID-1 of an OP:
ex. John logins to http://rp.com/ with his 1st OpenID
http://john.openid.net/ .
2. the user logouts from the RP:
John logouts from http://rp.com/
3. the user logins to the RP with OpenID-2 of the same OP:
John logins to http://rp.com/ with his 2nd OpneID http://lennon.openid.net/ .
4. what's happen?
I did experiments with some OPs, and got the following results:
- Some OPs returned an error of "authentication failed".
- In other OPs, session of OpenID-1 (not OpenID-2) remained, and the
user was not redirected to the RP.
Anyway, the user failed to re-login.
I discussed this issue with Japanese OpenID people, and I believe that
the following action is a good practice:
"If username of OP is different with the claimed OpenID, the OP should
make the user logout."
In the above scenario, the OP (http://openid.net) should check the
username (john) and the claimed OpenID (http://lennon.openid.net/).
The OP lets the user logout, since the username is different with the
claimed OpenID.
After that, the user successfully logins with the different username (lennon).
I'd like to share this practice if it is the best one.
Regards,
--
Takeru INOUE <takeru.inoue at gmail.com>
More information about the user-experience
mailing list