My Ideal Identity Flow
Eran wrote this up.
Assumptions:
- The notion of Personas (even if its just one) is available in all OpenID providers (if there is just one, its just you)
- OpenID providers has a standard, yet to be developed, protocol/API which gives:
- List of personas (if available)
- Switch current persona
- OpenID consumers (sites) will support an the Discovery XRD spec to detect:
- OpenID end-point
- Signout end-point (for when I want to switch a persona and make sure I'm signed out from a site with the current persona)
Eventual Result: Have an integrated always knowing identity toolbar that can auto sign me in to sites I've previously used with the OpenID provider. The provider will also associate a specific persona with the site I'm logging into so that when I switch personas, it will automagically log me out of the current site with the current persona and allow me (if I want to) to register with a different persona.
Scenario(s):
- Open browser and log into the defined OpenID provider
- Go to a site
- Identity Toolbar will detect if there is an OpenID end-point (through XRD discovery)
- If there is an OpenID end point toolbar will query the OpenID provider if I've previously signed up to the that site with the current active persona
- If I did, based on a preset it will either ask me if I want to sign-in or automagically sign me in by initiating an OpenID login with the openid end-point previously discovered
- If there is an OpenID end point toolbar will query the OpenID provider if I've previously signed up to the that site with the current active persona
- When I switch a persona, the toolbar will request the site to sign-out
- When I access a sign-up page, the toolbar will detect that this is the sign-up end-point and will perform an OpenID login which, since this is the first time, will act as a registration flow and will try to automatically register me with the details of the current active persona.
- It would be great to have a "guest" mode, in which when I give my computer to someone to browse it will disable the auto sign-in/up features so that the person currently using my computer won't gain access.
It's a bit messed but that's basically the point I've originally assembled on some paper and transfered here for the summary of IIW :-)
The efforts of the XRD discovery will make this toolbar/features closer to reality. Now we just need to close the OpenID providers standard API/protocol and to have sites support the sign-out end-point :-)