Time to take a break?
Brad Fitzpatrick
brad at danga.com
Wed Jul 13 11:04:31 PDT 2005
Now that we've updated the spec to clarify that we're not a single-sign-on
protocol (no more "Consumer should be logged in until ______"), I think
I'll be taking it a little easier on OpenID for a couple months.
I'll still be on the mailing list, answering questions when others don't
beat me to it, and I'll still be working here (at Six Apart), making sure
OpenID is well-tested and integrated in all our sites/products.
I imagine there's still some website work to do, documenting best
practices and implementation pitfalls. PLEASE--- bug me about those. If
you want anything on the specs.bml page, just let me know.
One best practice item wrt single-sign-on is:
* you should not create a login session for a user as a result
of an openid identity assertion, unless the user is prepared for it.
the UI should reflect what will be done with the assertion.
examples:
Login with OpenID! [ ] --> logs user in. GOOD
Leave a comment with OpenID: [ ] --> leaves comment,
then user is forgotten .... GOOD
Leave a comment --> comment + logs in BAD
Leave a comment + do you want to login? GOOD
* if you do let somebody login with OpenID, they should understand
the duration (browser session vs. cookie expiry), and preferrably
side with browser session as the default
Currently LiveJournal and LifeWiki do all these things, and we hope others
do too.
- Brad
More information about the yadis
mailing list