[Code] OpenId on no HTML user-agents

valentino miazzo valentino.miazzo at blu-labs.com
Thu Feb 4 10:17:44 UTC 2010


Hi,
thanks Chris for the links but is not clear to me how OAuth can be used
without a HTML browser.
Could you help me?

I'm a newbie an I'm reading here
http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html .

At step 3, the user is asked to browse to
https://api.login.yahoo.com/oauth/v2/request_auth?oauth_token=<myreqtoken>
and the document says
<<If your application does not have access to a browser, it must provide
the User with the Yahoo! authorization page URL and Request Token, both
provided in Step 2
<http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html#oauth-requesttoken>.
Your application must provide directions for your User to manually
browser to the URL and enter the provided Request Token. >>
I imagine that
https://api.login.yahoo.com/oauth/v2/request_auth?oauth_token=<myreqtoken>
will return an HTML page were the user can permit or deny the authorization.

How a device not able to render an HTML page can allow to the user to
perform that choice?
My guess is that such limited device can only suggest to use another
device (a PC) with a HTML browser.
Where I'm wrong?

Thank you,
Valentino



Chris Messina said the following on 03/02/2010 22.42:
> This really is case for using OAuth — since it was designed to take
> care of the "no-browser" use case, which OpenID is limited by.
>
> These links might help:
>
> http://developer.yahoo.com/oauth/guide/openid-oauth-guide.html
> http://hueniverse.com/oauth/
>
> Chris
>
> On Wed, Feb 3, 2010 at 6:58 AM, valentino miazzo
> <valentino.miazzo at blu-labs.com <mailto:valentino.miazzo at blu-labs.com>>
> wrote:
>
>     Hi,
>     I'm developing applications for Bluray players and I would like to add
>     OpenId compatibility of our applications.
>
>     For who don't know, a Bluray applications is a sort of applet wrote in
>     Java 1.3 using AWT for the UI.
>     You don't have a built-in HTML browser.
>     As far I can see, all the big OPs are assuming that the user-agent is
>     able to parse HTML.
>     Maybe this is not in the standard but seems to be the current de-facto
>     situation.
>
>     I see 3 solutions;
>
>     A) we embed a 100% Java HTML browser on our applications.
>     We did some tests and existing solutions are far from perfect.
>     Glitches and issues are common.
>     Not professional nor reliable.
>
>     B) we use "reverse engineering" to see how the top OP implemented
>     their
>     forms and forge the POST request by hand in the bluray application.
>     As example, for myopenid we need to reverse how these URL
>     https://www.myopenid.com/signin_submit ,
>     https://www.myopenid.com/trust_submit should be used.
>     This solution is fragile. Our application will break each time one OP
>     changes something in the POST "syntax".
>     This leads to the solution C.
>
>     C) define in the OpenId specification how OP forms use POST to login
>     and/or change trust lists.
>     This solution is the best one because it avoids the use of an HTML
>     browser and is not prone to break suddenly.
>     Off course this solution would be beneficial for any device can
>     use HTTP
>     but not HTML.
>
>     How impossible is to have such extension to the standard?
>     What are the problems?
>
>     BTW, I saw a post in the BOARD ML: "Question on implementation of
>     OAUTH/OpenID for Set-top-box".
>     It cover the same problem but the thread stops without any solution.
>
>     Thanks in advance,
>     Valentino
>     _______________________________________________
>     Code mailing list
>     Code at lists.openid.net <mailto:Code at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-code
>
>
>
>
> -- 
> Chris Messina
> Open Web Advocate, Google
>
> Personal: http://factoryjoe.com
> Follow me on Twitter: http://twitter.com/chrismessina
>
> This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20100204/72162473/attachment.htm>


More information about the Code mailing list