1. OpenID as True Single Signon

    body

    OpenID is meant as a distributed single signon protocol. Unlike corporate-only systems (ie, Google Accounts) however, you have to sign on at every single site. When I sign in to Gmail I am automatically signed in to Blogger, etc.

    While the inability to store 'cookies' or similar across domains makes this not 100% possible, I have a suggestion that will make it easier.

    Make every page on an OpenID-enabled site accept the openid_url GET parameter. If it is there, authenticate the user using that OpenID and then redirect back to the page the GET string was passed to - minus the openid_url parameter. Thus if I click a link from one OpenID-enabled site (where I am signed in) to another, I can be signed in automatically.

    A browser plugin (ie, Firefox extension, or built into the browser as may come in Firefox 3) could be used to store the last-entered value into a form with text input named openid_url (dependent on user settings of course). This value would then be added to the GET request on any URL (or pertinent URL, depending) the browser goes to. OpenID-less sites won't care, OpenID-enabled sites will automatically sign you in.

    Tags:
    Creative Commons Licence © 2006-2008 Stephen Paul Weber. Some Rights Reserved.
    Stephen Weber at 2007-01-23 15:29 | 7 Comments / Trackbacks
    There is an RSS Feed for comments on this post.
    You can trackback from you own site.

    7 Comments

    1. Comment at 2007-01-24 06:01 by CANADA Johan Sundström
      body

      Worth considering too is whether you want to share your identity automatically with every entity on the net which wants to know it. But making it comfier for you the times you do is of course good.

    2. Comment at 2007-01-24 10:09 by CANADA Singpolyma
      body

      True — it should ask you… but not make you type anything.

    3. Comment at 2007-01-27 14:15 by CANADA Rasqual Twilight
      body

      It would be interesting, provided that:
      * It is ruled-based, preferably with a whitelist of applicable domains or subd.
      * Why not send in a cookie or in the user-agent string?

    4. Comment at 2007-01-27 14:22 by CANADA Singpolyma
      body

      @function Rasqual Twilight - Obviously for a Firefox extension/similar you wouldn't want to blindly give your OpenID to every site you visited (probably anyway).

      RE Cookie/UA - As I explained cross-site cookies are impossible, this is for more than browsers only (likely) and sending either a 'fake' cookie or UA is unnecessarily complicated. GET works… and it's already being used with the almost-standard field name openid_url… I'm just suggesting that EVERY page on a site accept the GET param that they are ALREADY accepting on the login page…

    5. Comment at 2007-01-29 22:55 by CANADA Efendi
      body

      Micro Persuasion have some article about OpenID too :)

    6. Comment at 2008-01-15 15:47 by UNITED STATES Windows Vista Netscape Navigator 4.8 jp
      body

      My concern -
      Is that for example on Blogger, when you look at the Page Info on the comment it has a tab with forms and WTF all of my personal info is on there, email, password, etc. How much of this can be seen by the owner of the blog if you post anonymously or use a nickname. How much is silently stored by blogger when you post a comment. Could it be used to trace anonymous comments back to the source?

    7. Comment at 2008-01-15 17:07 by CANADA Windows Vista Mozilla Firefox 2.0.0.11 Stephen Paul Weber
      body

      That's a Blogger thing and exactly what OpenID angles to solve. Personally, I think they store none of it and KNOW the blog owner can't see it :)

    Post a Comment

    You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Stephen Paul Weber