I'm a bit concerned about the privacy aspect, but I'm sure regardless of the future spec that OPs will be smart about giving the user the option to "advertise" their login status at an OP to an untrusted RP. As I recall the way Google resolved the privacy concern is actually giving each domain admin the option to advertise or not to RPs.
A standard addition to the protocol would be interesting, to be sure. However, it doesn't make as much sense out of the context of Google Apps, since that's the only host that represents very many OP endpoints, which is what makes it interesting for the RP to poll with the question "hey, which OPs is the user logged into?" >From a UI standpoint, even if it were possible for the RP to meaningfully ask the question (of someone) "what are all the OPs the user is logged into?", I'm dubious about the value of an RP doing so. It wouldn't pass the "my mom can login" test if she revisited an RP, and couldn't login because her "Google" button was missing. It wouldn't occur to her that she has to go to Google herself and log in there before she can log into the RP. Some OPs do that today (like Verisign), by refusing to log a user in as part of the OpenID flow, but it's not very user-friendly -- and that's when Verisign appears at the RP in the first place. Just my 2 cents. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Mon, Dec 14, 2009 at 7:09 AM, Santosh Rajan <[email protected]> wrote: > I agree with Andrew, and I think every OP must do the same. Or maybe we add > that to the protocol. > > > On Mon, Dec 14, 2009 at 8:17 PM, Andrew Arnott <[email protected]>wrote: > >> Nope, that's not it either. What I'm thinking of is an aid to pure login >> UI -- nothing to do with OAuth. And again, *Google* is supplying the >> list of Google Apps domains the user is logged into -- not the RP asking for >> each specific domain. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> On Mon, Dec 14, 2009 at 6:32 AM, Chris Obdam <[email protected]>wrote: >> >>> > The solution Dirk/Breno spoke of (as I recall) was a single URL that >>> would return all google apps for domains the user is logged into. >>> Ok, clear. Is this the one? >>> > openid.ext2.scope - (required) List of URLs identifying the Google >>> service(s) to be accessed. See documentation for the services of interest to >>> get scopes must be space-delimited and properly escaped. This parameter is >>> not defined in the OAuth standards; it is a Google-specific parameter. >>> >>> Cheers, >>> >>> Chris Obdam >>> Stichting OpenID NL (Dutch OpenID foundation) >>> >>> > -- >>> > Andrew Arnott >>> > "I [may] not agree with what you have to say, but I'll defend to the >>> death your right to say it." - S. G. Tallentyre >>> > >>> > >>> > On Mon, Dec 14, 2009 at 6:14 AM, Chris Obdam <[email protected]> >>> wrote: >>> > Andrew, >>> > >>> > That sounds a lot like de openid.ui.x-has-session variable David >>> mentioned earlier today? >>> > >>> > More info on >>> http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.htmland >>> > http://code.google.com/intl/nl-NL/apis/accounts/docs/OpenID.html >>> > >>> > Cheers, >>> > >>> > Chris Obdam >>> > Stichting OpenID NL (Dutch OpenID foundation) >>> > >>> > Op 14 dec 2009, om 14:54 heeft Andrew Arnott het volgende geschreven: >>> > >>> > > At IIW, Google mentioned that they are trying out a way for Google >>> Apps domains to advertise to RPs that the user is logged into them so that >>> RPs can show a "log into puffypoodles.com" option. Where can we find >>> documentation on how that works? >>> > > >>> > > Thanks. >>> > > -- >>> > > Andrew Arnott >>> > > "I [may] not agree with what you have to say, but I'll defend to the >>> death your right to say it." - S. G. Tallentyre >>> > > _______________________________________________ >>> > > specs mailing list >>> > > [email protected] >>> > > http://lists.openid.net/mailman/listinfo/openid-specs >>> > >>> > >>> >>> >> >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs >> >> > > > -- > http://hi.im/santosh > > >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
