Browser Login Plugin

Martin Atkins mart at degeneration.co.uk
Thu May 19 03:52:25 PDT 2005 

(Longest proposal message yet... but you can ignore the bit between the 
dashed lines if you trust me that it'll work!)

Brad and I talked about this a little back when he first proposed it. 
Now that I actually know how OpenID works, I'm in a better position to 
make a proposal.

The idea here is that frequent OpenID users will install a browser 
plugin which will add a "Log in with OpenID!" button to their browser. 
The user will have preconfigured an identity to use. When clicking this 
button, the browser will do the client-side part of the process locally 
and just hand off the authorisation token to the consumer site.

The plugin needs a clue on the consumer site about how to interface with 
its OpenID code. We add some discovery stuff to the head of the 
consumer's HTML document:

<link rel="openid.returnurl"
       href="http://someconsumer.com/openidhelper" />

This is equivilent to the return_url in the normal request and will be 
used as such when the plugin sends the authorisation request.

For the sake of AJAX-like logins:

<link rel="openid.returnhook" href="openid_login_hook" />
   (I know LINK is totally the wrong element for this, but for
    illustration's sake ignore that for the moment.)

openid_login_hook is the name of a script function in the 'window' 
object which accepts the parameters (identity, timestamp, token) and 
does whatever is necessary to make the UI look like the user has logged in.

Where a site specifies both, it'll be up to the plugin whether it does 
it the fancy scripting way or the classic way. I imagine a trust_root 
will need to be specified as well, so that the ID Server can use it to 
do the approval.

--------------------------

This is a convention for the consumer to follow; it doesn't affect the 
ID server at all.

On clicking the login toolbar button, the browser discovers and sends a 
request to the identity server. It'll get back a redirect whose query 
string it can parse to figure out what's happened. The response can be 
used to either open a window to do the authorisation or to trigger the 
hook to give the site the login token.

The fancy mode requires that the browser extension API has some way to 
make a HTTP request with the right cookies and catch and parse the 
redirects rather than letting them happen. It also requires the ability 
to run a named function within a loaded document *with the priviledges 
of that loaded document*.

A more simple plugin, though, can just make the ID server request in the 
browser view and let the redirects take their course so that the user 
eventually ends up at the redirect_url. The only complicated part is the 
request to the Identity URL to auto-discover the ID server, but that 
doesn't require any cookies or auth.

If the user has permanently approved a given consumer and is logged in 
to the identity server, clicking the toolbar button on that consumer 
site will do a login in one click with no typing necessary, and that's 
the point of all this.

--------------------------

A Firefox extension to do this shouldn't be too hard. However, I've 
never written a Firefox extension before, so if someone else fancies 
doing it then please speak up to save me having to learn it! :)

Doing this as an Internet Explorer toolbar extension shouldn't be too 
hard, either.

Please let me know if I've missed anything important! :)

More information about the yadis mailing list