[Code] OpenId on no HTML user-agents

Yang Zhao yang at yangman.ca
Fri Feb 5 09:45:26 UTC 2010


On 5 February 2010 00:21, valentino miazzo
<valentino.miazzo at blu-labs.com> wrote:
> We want to link our BD applications to some our web services and
> therefore we face the problem of having the user registered and logged in.
> Too much typing and the user will skip our web services.
> Typing is a barrier to enter our services.

Hm...

One of the most essential parts of a decentralized authentication
protocol is the step where the user is made to interact, directly,
with the trusted party; in this case, his or her OpenID provider.  You
simply cannot have an authentication protocol of this nature without
this, and, unfortunately, this is the one step that your environment
cannot handle elegantly.

Standardizing HTML form structure is not a sound approach is not a
sound approach either, as it assumes the user authenticates to the OP
via a HTML form.  Theoretically, this can be done using many
non-browser methods, including hardware keys and time-limited
pre-authorization.  I recall one particular implementation that
requires the user to actually log in to the web server hosting the
endpoint to approve requests.  I personally use a very long passphrase
for a custom-built OP, and having to enter that at all using a remote
would be a deterrent enough to not bother.

I've not worked with OAuth yet, so this may not be possible at all,
but one feasible implementation I can think of is to ask for a very
long-lived OAuth access token that is then stored in the DB player,
but only available when the user has unlocked it using a short
password.  Ask the user to do an one-time association with the DB
player using a browser (a la Bluetooth pairing) then each time this
token is required, ask for the password that will unlock it.  The user
retains the option to revoke the access key through what ever provided
it in the first place.  However, this assumes the user has access to
an OAuth provider that is willing to hand out such tokens.

-- 
Yang Zhao
http://yangman.ca


More information about the Code mailing list