Login with another OpenID

Sam Alexander sam.alexander at vidoop.com
Fri Jan 18 03:19:45 UTC 2008 

Takeru,

We ran up against this use case in our testing, we came to the same  
conclusion:

- User is logged into our OP with john.openid.com
- User attempts to login to rp.com with jill.openid.com
- User is redirected to our OP with the jill.openid.com identifier as  
payload
- We display a message that says "You are currently logged in as  
john, please log out first."

I agree, this should be a best practice for the OP.

I don't think that _automatically_ logging the user out is the  
correct solution (for instance, they may just just mistyped their
username). Showing them who they are logged in as, then giving them  
the option to log out and log in as the second user works well.

-Sam

On Jan 17, 2008, at 8:19 AM, Takeru INOUE wrote:

> Hi,
>
> I found that behavior of OPs is not defined when users re-login with a
> different OpenID.
>
> # This is a kind of single-sign-out issue, but is easier to solve it
> since just focused on "re-login."
>
> Let me show a simple scenario on this issue:
>
> 1. a user logins to a RP with OpenID-1 of an OP:
>    ex. John logins to http://rp.com/ with his 1st OpenID
> http://john.openid.net/ .
> 2. the user logouts from the RP:
>    John logouts from http://rp.com/
> 3. the user logins to the RP with OpenID-2 of the same OP:
>    John logins to http://rp.com/ with his 2nd OpneID http:// 
> lennon.openid.net/ .
> 4. what's happen?
>
> I did experiments with some OPs, and got the following results:
>
> - Some OPs returned an error of "authentication failed".
> - In other OPs, session of OpenID-1 (not OpenID-2) remained, and the
> user was not redirected to the RP.
>
> Anyway, the user failed to re-login.
> 	
> I discussed this issue with Japanese OpenID people, and I believe that
> the following action is a good practice:
>
> "If username of OP is different with the claimed OpenID, the OP should
> make the user logout."
>
> In the above scenario, the OP (http://openid.net) should check the
> username (john) and the claimed OpenID (http://lennon.openid.net/).
> The OP lets the user logout, since the username is different with the
> claimed OpenID.
> After that, the user successfully logins with the different  
> username (lennon).
>
> I'd like to share this practice if it is the best one.
>
> Regards,
>
> -- 
>   Takeru INOUE <takeru.inoue at gmail.com>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience

More information about the user-experience mailing list