Seamless site-to-site account creation and login via OpenID

Drummond Reed drummond.reed at
Thu Aug 24 19:45:48 UTC 2006

Got it. My not-having-thought-about-it-too-deeply-yet reaction is that, as
long as there are no privacy/control issues (which might be as simple as
clearly and conspicously informing the user that this is how
identity/authentication works within this partner network), it's pretty
cool. Essentially everyone in the network would be generating their own
site-relative identifier for the user when handing off to a partner site.


Question: if site A handed off to site B, and then site B handed off to site
C, would the URL that site B gave to site C point back to site B as the IdP,
or back to site A as the IdP?





From: yadis-bounces at [mailto:yadis-bounces at]
On Behalf Of Tony
Sent: Thursday, August 24, 2006 12:36 PM
To: Yadis list
Subject: Re: Seamless site-to-site account creation and login via OpenID


Yes, that's correct.  The idea is to have a partner network of a number of
sites that all trust each other, and allow any user of any site in the
partner network to move around the network utilizing various services which
are tied to an account on that site. 

- Tony


On 8/24/06, Drummond Reed < <mailto:drummond.reed at>
drummond.reed at> wrote:



So if I understand this (fascinating) scenario, what you're really talking
about is the capability for any site A to dynamically begin serving as a
"proxy" IdP for a user to another trusted site B, simply by issuing a URL
for accessing site B that points back to site A as the OpenID IdP.


Do I have that right?


If so, that's both really cool, and - possibly - a little scary, because the
user may not expect/want site A to act in that proxy IdP capacity.


What do folks think?


=Drummond (i-name: =drummond.reed, 



From: yadis-bounces at [mailto:
<mailto:yadis-bounces at>  yadis-bounces at] On
Behalf Of Tony
Sent: Thursday, August 24, 2006 1:21 AM
To: yadis at
Subject: Seamless site-to-site account creation and login via OpenID


Thus far I've only read about OpenID and tried it out with some scant
services.  However as far as I can tell, the process of creating an account
and logging in to a trusted "partner" site could be made completely
automated, correct? 


User has an account on Web Site A.  User logs into Site A and a session
cookie is set.

User wants to access a service on Site B which is part of Site A's trusted
network of partner sites.

User requests Site B's feature on Site A.  Site A directs the user to Site
B, passing their OpenID XRI for Site A to Site B.

Site B would then contact Site A based on the OpenID to verify User's
identity.  Site B would then issue an HTTP redirect for the user to a
specially designed landing URL. 

When User's browser hits the landing URL, Site A checks the session cookie
and sets up the trust relationship with Site B.

As far as I can tell, this can be 100% seamless and behind the scenes,
provided the user has 1) already logged into Site A and 2) Site A and B
trust each other enough to use OpenID in this manner. 

Correct, or am I missing something?

Tony Arcieri

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the yadis mailing list