My Ideal Identity Flow

From IIW

Eran wrote this up.

Assumptions:

  • The notion of Personas (even if its just one) is available in all OpenID providers (if there is just one, its just you)
  • OpenID providers has a standard, yet to be developed, protocol/API which gives:
    • List of personas (if available)
    • Switch current persona
  • OpenID consumers (sites) will support an the Discovery XRD spec to detect:
    • OpenID end-point
    • Signout end-point (for when I want to switch a persona and make sure I'm signed out from a site with the current persona)

Eventual Result: Have an integrated always knowing identity toolbar that can auto sign me in to sites I've previously used with the OpenID provider. The provider will also associate a specific persona with the site I'm logging into so that when I switch personas, it will automagically log me out of the current site with the current persona and allow me (if I want to) to register with a different persona.


Scenario(s):

  • Open browser and log into the defined OpenID provider
  • Go to a site
  • Identity Toolbar will detect if there is an OpenID end-point (through XRD discovery)
    • If there is an OpenID end point toolbar will query the OpenID provider if I've previously signed up to the that site with the current active persona
      • If I did, based on a preset it will either ask me if I want to sign-in or automagically sign me in by initiating an OpenID login with the openid end-point previously discovered
  • When I switch a persona, the toolbar will request the site to sign-out
  • When I access a sign-up page, the toolbar will detect that this is the sign-up end-point and will perform an OpenID login which, since this is the first time, will act as a registration flow and will try to automatically register me with the details of the current active persona.
  • It would be great to have a "guest" mode, in which when I give my computer to someone to browse it will disable the auto sign-in/up features so that the person currently using my computer won't gain access.

It's a bit messed but that's basically the point I've originally assembled on some paper and transfered here for the summary of IIW :-)

The efforts of the XRD discovery will make this toolbar/features closer to reality. Now we just need to close the OpenID providers standard API/protocol and to have sites support the sign-out end-point :-)