openId - Is It possible to initiate a login from the OpenId Provider site?

StackOverflow https://stackoverflow.com/questions/16400715

سؤال

Usually the user first visits the client site (like stackoverflow) and gets redirected to the OpenID Provider (OP) and gets redirected back to the client after authenticating.

Imagine now we have a portal which acts as a OP. After I login into the portal it should show links to applications. These applications are managing there logins with openID Clients. Is it possible to construct links (or redirect headers) to the application (openID client)?

Step by Step like this:

  1. Fresh Browser (old cookies etc. deleted)
  2. Visit OpenID Provider
  3. Log into OpenID Provider site.
  4. Click on a link in your profile to another website which provides openID client mechanism
  5. You get immediately logged in without any further action from the user

Is it possible? Or do I always have to visit the openId Client first to start a session or something like this?

(if it differs from openId v1 and v2, it would be nice to hear about it)

هل كانت مفيدة؟

المحلول

Yes. This is possible, however this is not a part of OpenID specification, the specification doesn't talk about a IDP initiated authentication flow. The trick is at the IDP. Let me summarize this.

There are two interactions an OP do with the user :

  1. Ask for password. (If the OP can use a cookie or a session value to remember the authenticated user, then this interaction can be skipped in later logins)

  2. Ask for the consent. That is the user is asked for giving permissions to the application to access user identity information. (If the OP can be configured to skip this step for user allowed set applications then this interaction can be avoided too)

So the flow will work like this:

  1. User logs into OP (then OP remembers the user)
  2. User clicks on an application like, application redirects the user to the OP. (OP skip authentication, and then OP identifies that there is a configuration to skip prompt for consent for this application for this user, OP skip consent).
  3. OP redirects the user back to application and logged in.
مرخصة بموجب: CC-BY-SA مع الإسناد
لا تنتمي إلى StackOverflow
scroll top