Login with another OpenID

Takeru INOUE takeru.inoue at gmail.com
Fri Jan 18 04:34:23 UTC 2008


Sam,

That seems like a good idea.
OP should show "currently logged in as john, log out first."


On Jan 18, 2008 12:19 PM, Sam Alexander <sam.alexander at vidoop.com> wrote:
> Takeru,
>
> We ran up against this use case in our testing, we came to the same
> conclusion:
>
> - User is logged into our OP with john.openid.com
> - User attempts to login to rp.com with jill.openid.com
> - User is redirected to our OP with the jill.openid.com identifier as
> payload
> - We display a message that says "You are currently logged in as
> john, please log out first."
>
> I agree, this should be a best practice for the OP.
>
> I don't think that _automatically_ logging the user out is the
> correct solution (for instance, they may just just mistyped their
> username). Showing them who they are logged in as, then giving them
> the option to log out and log in as the second user works well.
>
> -Sam
>
>
> On Jan 17, 2008, at 8:19 AM, Takeru INOUE wrote:
>
> > Hi,
> >
> > I found that behavior of OPs is not defined when users re-login with a
> > different OpenID.
> >
> > # This is a kind of single-sign-out issue, but is easier to solve it
> > since just focused on "re-login."
> >
> > Let me show a simple scenario on this issue:
> >
> > 1. a user logins to a RP with OpenID-1 of an OP:
> >    ex. John logins to http://rp.com/ with his 1st OpenID
> > http://john.openid.net/ .
> > 2. the user logouts from the RP:
> >    John logouts from http://rp.com/
> > 3. the user logins to the RP with OpenID-2 of the same OP:
> >    John logins to http://rp.com/ with his 2nd OpneID http://
> > lennon.openid.net/ .
> > 4. what's happen?
> >
> > I did experiments with some OPs, and got the following results:
> >
> > - Some OPs returned an error of "authentication failed".
> > - In other OPs, session of OpenID-1 (not OpenID-2) remained, and the
> > user was not redirected to the RP.
> >
> > Anyway, the user failed to re-login.
> >
> > I discussed this issue with Japanese OpenID people, and I believe that
> > the following action is a good practice:
> >
> > "If username of OP is different with the claimed OpenID, the OP should
> > make the user logout."
> >
> > In the above scenario, the OP (http://openid.net) should check the
> > username (john) and the claimed OpenID (http://lennon.openid.net/).
> > The OP lets the user logout, since the username is different with the
> > claimed OpenID.
> > After that, the user successfully logins with the different
> > username (lennon).
> >
> > I'd like to share this practice if it is the best one.
> >
> > Regards,
> >
> > --
> >   Takeru INOUE <takeru.inoue at gmail.com>
>
> > _______________________________________________
> > user-experience mailing list
> > user-experience at openid.net
> > http://openid.net/mailman/listinfo/user-experience
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>



-- 
  Takeru INOUE <takeru.inoue at gmail.com>



More information about the user-experience mailing list