Singpolyma

Technical Blog

OpenID as True Single Signon

Posted on

OpenID is meant as a distributed single signon protocol. Unlike corporate-only systems (ie, Google Accounts) however, you have to sign on at every single site. When I sign in to Gmail I am automatically signed in to Blogger, etc.

While the inability to store ‘cookies’ or similar across domains makes this not 100% possible, I have a suggestion that will make it easier.

Make every page on an OpenID-enabled site accept the openid_url GET parameter. If it is there, authenticate the user using that OpenID and then redirect back to the page the GET string was passed to – minus the openid_url parameter. Thus if I click a link from one OpenID-enabled site (where I am signed in) to another, I can be signed in automatically.

A browser plugin (ie, Firefox extension, or built into the browser as may come in Firefox 3) could be used to store the last-entered value into a form with text input named openid_url (dependent on user settings of course). This value would then be added to the GET request on any URL (or pertinent URL, depending) the browser goes to. OpenID-less sites won’t care, OpenID-enabled sites will automatically sign you in.

7 Responses

Johan Sundström

Worth considering too is whether you want to share your identity automatically with every entity on the net which wants to know it. But making it comfier for you the times you do is of course good.

Rasqual Twilight

It would be interesting, provided that:
* It is ruled-based, preferably with a whitelist of applicable domains or subd.
* Why not send in a cookie or in the user-agent string?

Singpolyma

@function Rasqual Twilight – Obviously for a Firefox extension/similar you wouldn’t want to blindly give your OpenID to every site you visited (probably anyway).

RE Cookie/UA – As I explained cross-site cookies are impossible, this is for more than browsers only (likely) and sending either a ‘fake’ cookie or UA is unnecessarily complicated. GET works… and it’s already being used with the almost-standard field name openid_url… I’m just suggesting that EVERY page on a site accept the GET param that they are ALREADY accepting on the login page…

jp

My concern –
Is that for example on Blogger, when you look at the Page Info on the comment it has a tab with forms and WTF all of my personal info is on there, email, password, etc. How much of this can be seen by the owner of the blog if you post anonymously or use a nickname. How much is silently stored by blogger when you post a comment. Could it be used to trace anonymous comments back to the source?

Stephen Paul Weber

That’s a Blogger thing and exactly what OpenID angles to solve. Personally, I think they store none of it and KNOW the blog owner can’t see it 🙂

Leave a Response