Progress and some thoughts
Nathan D. Bowen
nbowen+yadis at andtonic.com
Tue Jun 21 14:02:51 PDT 2005
meepbear * wrote:
> They just need to exchange keys, but the UA can accomplish that and
> still be unable to spoof approval.
I don't follow -- if my consumer gets the server's key from the UA, how
do I know that a server was involved at all?
The whole point of having the UA bring back a *signed* verification
token is to verify that the token originated at the server. In order for
the signature to mean anything, we have to be reasonably convinced that
only the server and the consumer know the secret key.
> The part where the server asks the user to confirm that they want the
> consumer to ID them seems unnecessary? Since I need to supply an URL
> and click a button, that would constitute approval already?
It may feel unnecessary in the "legitimate" case when you did supply a
URL and click a button.
On the other hand, the server doesn't know that you supplied a URL and
clicked a button. Maybe you thought you clicked "About Us" on my
website, but my website redirected you to livejournal without your
asking, in an attempt to figure out who you were. So, if you show up at
the server with a request to give your identity to a server you've never
approved before, the only safe thing for the server to do is to stop and
make sure you know what's happening.
> Having to go through three forms (type in URL, server login and
> consumer approval) to confirm ID seems like too much trouble for most
> people to bother with each time when they're used to single sign-on.
Hopefully real-life implementations will ensure that some of these steps
don't happen _each_ time -- only the first time.
For example, just like a website can give your browser a "remember me"
cookie, a website could give you a "remember my OpenID" cookie. That
cookie would say "from now on, if I'm not logged in, automatically log
me in using the same OpenID I used last time". So if you hit OtherSite
before logging in -- but yesterday you changed your OtherSite
preferences to say that you want to automatically log in with your
LiveJournal OpenID identity -- OtherSite would:
1) notice your cookie
2) look up your OpenID
3) forward you to LiveJournal
4) receive the response from LiveJournal
5) log you in
Assuming you were already logged into LiveJournal and you'd already told
LiveJournal that you trust OtherSite, all you'd have to do is wait a few
extra seconds for the automatic OpenID login to happen.
More information about the yadis