tags:

views:

23

answers:

1

If there is no token, how does OpenId maintains authorisation? Through cookies?

+1  A: 

OpenID Authentication per-se does not "maintain authorization" in any way. OpenID is merely a protocol which allows a Relying Party to have an end-user prove his/her identity (or more precisely that he/she controls an Identifier) from a pool of OpenID Providers.

This said, either the relying party or the eventual OpenID provider may itself "maintain authorization" for the underlying web client using all the usual devices and tricks for that purpose, particularly cookies.
Because of such cookies/state maintained by the Relying party, it may appear that even though one has exited (or possibly logged-out) the Relying Party's web application, he/she doesn't isn't challenged with an OpenID authentication dialog when re-opening a session with that site.
Similarly, because of cookies/state maintained by the OpenID provider, one may find that having authenticated for the purpose of getting to one given site, may save authenticating for another site. This latter behavior would however imply that the "other site" readily memorized that the particular OpenID provider is the one that should be used (I think that one of the goals of OpenID is to ensure that the end-user gets to choose his/her OpenID provider for each site.)

See OpenID Authentication 2.0 specification for terminology and protocol details.

mjv