Browser plug-in

Martin Atkins mart at
Wed Jul 6 12:36:10 PDT 2005

meepbear * wrote:
> I actually envisioned something more involved than simply filling out
> forms. A plug-in can provide an identity to the consumer just as easily
> as the OpenID server can, but without requiring someone to be logged
> into/log onto anything all the time. All the consumer would have to do
> is check with the server to see if what the plug-in gave it was
> authentic or not.

This is tricky because the protocol essentially requires all of the
to-ing and fro-ing in order to work. There is no standard way to give a
consumer a signature that's been computed without the help of the
redirecty bit.

One thing we could have done with the old protocol is have OpenID
consumers declare their return_url in yet another LINK element so that a
clueful client can just go straight to it having computed the signature
somehow of its own accord. The declared ID server then just needed to
support getpubkey. However, that's not possible anymore since the
consumer and server must be associated before anything else happens. The
browser running its own identity server would work in theory, but
creates a can of worms for people who use NAT gateways or firewalls.

When we discussed this before, the only reason I could come up with for
why it would be better to have a browser plugin than just to
automatically fill a form is that explicitly clicking a little OpenID
button on the toolbar implies that you wish to allow the current site to
recieve your identity so you could perhaps avoid the authorisation step.
However, while this was just a little bit tricky with the old protocol,
it's really quite difficult with the new protocol since the server talks
to the consumer a lot more than it did before.

It could also be argued that having the OpenID button skip the auth step
is dangerous since the user then doesn't get to see what the trust_root
is; it might be something crazy like http://*.com/. Not really a problem
if the click only implies "Yes; just this time", though, as the trust
will never be stored anyway.

More information about the yadis mailing list