We might consider being a browserid provider for @hypothes.is. The advantage I see is that the front end flow for Persona can be easily adapted. If we implemented an IdP it would be one way to demonstrate getting the authentication flow out of the sidebar which would fix #339 and contribute toward #343.
@tilgovi So, in the Safari/FF default "from visited" case, an IdP would work without special whitelisting after an initial auth. If third-party cookies are blocked, though, IdP support wouldn't help you.
Persona checks if the user has an IdP session by hitting an IdP endpoint in a hidden iframe, termed the provisioning page. If you haven't visited the site in this browser before, the iframe is considered third-party, so we can't see your session cookie. The dialog would then redirect to display another IdP page, the authentication page. Once the user lands here, your IdP has been visited as a first party, and you're fine--the login will complete, and future clicks on the Persona button will be a much shorter round-trip.
I'm probably going a little fast, happy to explain more. You can read more about this flow on MDN, see the 'provisioning page' section for details.
@tilgovi this is sounding more possible based on yesterday's chat. 😄
Closing. If we do this it will be a separate repo.