[Code] OpenId on no HTML user-agents
valentino miazzo
valentino.miazzo at blu-labs.com
Wed Feb 17 17:55:40 UTC 2010
Hi all,
For Russel:
<<What you seem to have missed is that the trust model of OpenID is
*explicitly* built upon the assumption that the end user *never*
provides their credentials to the relying party (your set top box, in
this case).>>
Now I can understand why the "OpenID ecosystem" can be reluctant to
support this use case.
I can only point out there is a small difference for a user in trusting:
1- a web browser built-in in a PS3 (it cannot be substituted with
another trusted one)
2- a Facebook gadget built-in a mobile phone from Sony-Ericsson
3- a rich application burned in a blu-ray disc from Sony Pictures
In any case the user has trust that Sony will not leak the credentials
typed in those "systems".
Cases 1 and 2 are already happening, why don't leave to the user the
freedom to choose if trust or not the company that produced the BD disc?
Anyway, thank you Russel for the "philosophical" POV.
Note: I put Sony here just because it was a nice example. It can be any
other company.
For Allen and Andrew,
Thanks for the OAuth WRAP hint.
Just one clarification: It looks something better can be obtained using
just OpenID, please correct me.
1- The rich application is in the OpenID trust list of the user.
2 -The user is using the rich application and chooses to login using
OpenID .
3- The rich application requests authentication to the OP
4- if the user is already logged in OpenID then the authentication is done
5- if the user is not logged in OpenID then the rich application asks
him to do it via an HTML browser and press "continue" when done (go to 3)
It seem possible to avoid the typing of the request token in the HTML
browser.
Is that correct?
What are the pro of OAuth WRAP in this case?
Thank you again,
Valentino
More information about the Code
mailing list