Content deleted Content added
m Date/fix maintenance tags |
|||
Line 43:
The method of authentication may vary, but typically, an OpenID provider asks for a password (and then possibly stores the user's session using cookies, as many websites with password-based authentication do). Alice may be prompted for her password if she was not logged in on <code>openid-provider.org</code>, and then asked whether she trusts, say, <code><nowiki>http://example.com/openid-return.php</nowiki></code> - the page designated by <code>example.com</code> as the one where the user should return after completing authentication - to receive details about her identity. If she answers positively, OpenID authentication is considered successful and the browser is redirected to the designated return page with credentials given. If Alice decides not to trust the relying party site, the browser is still redirected - however, the relying party is notified that its request was rejected, so <code>example.com</code> refuses to authenticate Alice in turn.
However, the login process is not over yet because at this stage, <code>example.com</code> cannot decide whether the credentials received really came from <code>openid-provider.org</code>. If they had previously established a shared secret (see above), the
After Alice's identifier has been verified, she is considered logged in to <code>example.com</code> as <code>alice.openid-provider.org</code>. The site may then store the session or, if this is her first logon, prompt Alice to enter some information specific to <code>example.com</code>, in order to complete registration.
| |||