[Vendan]

An auto responder wouldn't have access to the user that made the request's cookies, and therefore would be unable to actually authenticate the user. You'd wind up with a system where anyone that knew your email would be able to log in as you, which is a rather bad idea.

[tscs37]

The autoresponder is more of a "This domain accept OAuth" and sends back the email body.

That way, the autoresponder doesn't need to know anything about the process nor does it authenticate the user.

It merely sends back a mail that portier can interprete as "Ok, I send an auth email there and this response means they want me to construct an oauth link to this domain"

it's stateless and only requires a rather simple autoresponder that can include email bodies.

Furthermore, portier can also verify the login link, so that replay attacks aren't feasible and the sender and link-owner must have matching emails.