[OpenID] OpenID for desktop network clients

Pat Patterson Andrew.Patterson at Sun.COM
Tue Mar 20 19:45:14 PDT 2007


Troy Benjegerdes wrote:
> On Tue, Mar 20, 2007 at 06:36:26PM -0700, Gabe Wachob wrote:
>   
>> I blogged an idea that I implemented to allow a user to authenticate to a
>> desktop client for a "network app" (think  of an IM client) - the idea is to
>> present an openid to a desktop client and then have it, in concert with the
>> server-side component of the app, use normal OpenID authentication through
>> the user's browser to authenticate the user to both the server side and to
>> the desktop client: 
>>
>>  
>>
>> http://blog.wachob.com/2007/03/openid_for_desk.html
>>
>>  
>>
>> I have a basic implementation - looking for holes in the idea. Probably not
>> a novel idea, but I didn't recall seeing any write-up or implementation of
>> this anywhere. 
>>     
> I guess I don't understand why you'd want to do this.... OpenID seems
> very http-centric, and if you are talking about desktop apps, you would
> be better served by something like SASL, or the kind of stuff that
> happens under the hood in an MS active directory domain with Kerberos.
>
> What I like is having several computers that can all authenticate to a
> kerberos server and get access to my files and home directory.. this
> covers the desktop side. What's missing for me is being able to
> automagically be logged into my openid server once I am logged into my
> desktop environment.
>   
Which is /exactly/ what you can do with OpenSSO 
(https://opensso.dev.java.net/) and its new OP extension 
(https://opensso.dev.java.net/source/browse/opensso/extensions/openid/README?view=markup). 
Just configure OpenSSO for Windows Desktop SSO authentication (i.e. 
SPNEGO/Kerberos - it also works with Solaris, Linux & Mac, but Windows 
is the most common use case) and OpenID.

When an RP redirects the browser to the OP, the OP will do SPNEGO, 
soliciting a Kerberos token from the desktop OS via the browser, 
silently authenticating the user and sending them back to the RP.
> Or let's take the case of a mac user.. They log into their macbook,
> which unlocks the OSX Keychain, which handles most OSX applications
> nicely. The keychain should then know something about coordinating with
> the browser to be able to auto-fill in openid web forms.
>   
Client certificate authentication would work also.
> I guess the point I'm trying to make is that while you want an
> integrated single sign-on environment that openid is part of, extending
> it to the desktop seems like putting a square peg in a round hole,
> especially since there are so many other solutions on the desktop. 
>   
Agreed.

Cheers,

Pat
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   


-- 
Pat Patterson - pat.patterson at sun.com
Federation Architect,
Sun Microsystems, Inc.
http://blogs.sun.com/superpat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/general/attachments/20070320/8407c758/attachment.htm 


More information about the general mailing list