Cross-Domain Ajax OpenID Authentication

What is the biggest disadvantage of OpenId? The length of process.

You have to be redirected to your openid page, login, allow the site, and redirect back. If you've already allowed the site, at least you only have to be redirected twice, and it's transparent. But you still leave the site you were at and a page reload is necessary. With the rising tide of Ajax web applications, I want as few page reloads as possible.

My proposal is to extend OpenId standards, or at least create a service which supports, fully-ajax cross-domain authentication. How can this be done?

Currently the OpenId process is sorta like this (meaning, this is the general idea, I might be off on a couple specifics):
1) I type in my openid url in a site.
2) My openid server generates a secret and shares it with the site.
3) The site redirects me to my openid server for authentication.
4) I may need to log in, and/or "allow" my openid server to introduce me to the site.
5) My openid server shares with me (or actually my browser) the secret it shared with the site, and redirects me back to the site.
6) I'm back at the site and I've told it the same thing my openid server did, so it believes I'm who I say I am, because my openid server says so.

This could all be done with Ajax. BUT why isn't it done with Ajax?
Two reasons:
1) With Ajax, how do I know if I've been routed through and authenticated by my openid server?
2) If we don't leave the requesting site, it could access my openid authentication information.

Problem #1. Already been addressed in more security-minded applications like bank websites. What is it? Avatars. The showing of your avatar proves that you have indeed logged in with your openid site, because the openid site only provides it to an authenticated user-agent.

Problem #2. Technically that's still a problem. Javascript in one page can access information loaded into an iframe or another window it opens. (Of course we'd be okay if everyone had a little security key like Paypal provides for $1 on request, because with a changing password we can share the password with anybody as long as we don't share how the password changes with time.) Perhaps browsers should come up with a security model that allows Ajax on site A to load content from site B, with site B requesting a restricted environment so site A can't access it. But until then, can we possibly work with trust? On my OpenId server, if it supports this Ajax authentication, it should support it only on request, per site. Then I as an openid person can say "sure, let this site authenticate me without leaving the site!" Or if I don't trust them, I'll stick with the usual more secure redirect method.

In all, perhaps you can expect an OpenId server to come out in a couple months that supports cross-domain Ajax OpenId authentication. Register for an openid name on my site and we'll hope to have sites here and there popping up with the option for in-site authentication!