checkid_immediate

52 views

Skip to first unread message

todkap

unread,

Jan 24, 2008, 5:17:32 PM1/24/08

to joid-dev, tod...@us.ibm.com

I am interesting in implementing an AJAX style login process using
JOID. I found this section of the 2.0 specification

# openid.mode

Value: "checkid_immediate" or "checkid_setup"

Note: If the Relying Party wishes the end user to be able to
interact with the OP, "checkid_setup" should be used. An example of a
situation where interaction between the end user and the OP is not
desired is when the authentication request is happening asynchronously
in JavaScript.

and figured that I can use checkid_immediate versus checkid_setup (the
only one that seems to be supported in the code from what I can tell
for consumer).

Can someone provide me with some details on how the login process
would work for an AJAX style login? I know that in the more common
approach, the user is redirected to the openid provider site to
validate credentials. How are credentials passed in the
checkid_immediate case (if at all)? Is a user entering both the
openid_url and a password somewhere on the openid consumer side( this
sounds like it is against what openid is about) or is the assumption
that the user has already logged in and thus we are passing some sort
of token to the open id provider.

Hans Granqvist

unread,

Jan 29, 2008, 11:02:08 AM1/29/08

to joid...@googlegroups.com, tod...@us.ibm.com

> and figured that I can use checkid_immediate versus checkid_setup (the
> only one that seems to be supported in the code from what I can tell
> for consumer).

I believe "AuthenticationRequest.isImmediate()" lets you properly process
these requests.

>
> Can someone provide me with some details on how the login process
> would work for an AJAX style login? I know that in the more common
> approach, the user is redirected to the openid provider site to
> validate credentials. How are credentials passed in the
> checkid_immediate case (if at all)? Is a user entering both the
> openid_url and a password somewhere on the openid consumer side( this
> sounds like it is against what openid is about) or is the assumption
> that the user has already logged in and thus we are passing some sort
> of token to the open id provider.

Most commonly, the OP would use a User-Agent cookie to determine if
user has previously logged in, and whether RP is authorized as an automatic
login for the user.

Reply all

Reply to author

Forward

0 new messages