Authentication Protocols for Non-browser Apps

Martin Atkins mart at degeneration.co.uk
Tue Apr 10 06:48:23 UTC 2007 

Gabe Wachob wrote:
> Hi Mart-
> 	I'm trying to figure out if what you are proposing covers the same
> use case that I discussed at
> http://openid.net/pipermail/general/2007-March/002005.html
> 	I'm not clear actually what you are trying to do with HTTP
> Authentication, and it may be completely unrelated to my use case, or it
> could be squarely in the same place. 
> 	In your proposal, is there any interaction with a user? If so, when?
> All I see is that the "caller" sends a signature with the authenticated
> request. Is this implying that the "caller" performs some function with the
> OP to generate this signature? How does this happen? Can I use an existing
> OP with my URL or XRI to generate this signature? If so, how? 
> 

The HTTP authentication bit does not specify how the signature is 
obtained. This is because when some application service is 
authenticating as itself it can maintain its own associations and 
generate its own signature without the indirection.

Where the Signature Request Protocol comes in is making this protocol 
applicable to user authentication as well. Unfortunately, it *does* 
require the OP to support an additional protocol mode where the user is 
authenticated using HTTP authentication (or some other 
machine-interpretable authentication) rather than HTML forms and 
redirections.

The flow I'm expecting for the latter is, to take the Last.fm client[1] 
as an example, that the user will enter an identifier URI into the 
preferences dialog where currently a username/password is entered. When 
the client-side app needs to make a request, it'll first do an 
unauthenticated request and see what HTTP authentication mechanisms are 
supported, and then prompt the user for appropriate credentials.

In the future, I'm hoping that the signature-fetching steps will be 
replaced with "call into an installed system service which will prompt 
the user to release a signature", thus avoiding the need for the user to 
give up the credentials to the client app and allowing the user to 
approve each application is is often done with a desktop firewall.

[1] http://www.last.fm/tools/downloads/

More information about the specs mailing list