[OpenID] Using OpenID outside of the browser

Martin Atkins mart at degeneration.co.uk
Mon Apr 30 07:25:25 UTC 2007


Brendan Taylor wrote:
> On Sun, Apr 29, 2007 at 06:23:20PM -0700, Gabe Wachob wrote:
>> I'm not sure if what I discussed earlier on this list and on my blog matches
>> your requirements, but you might find it of interest:
>>
>> http://blog.wachob.com/2007/03/openid_for_desk.html
> 
> The problem (in my case) with this approach is that the client needs to
> know ahead of time that it needs to identify itself via OpenID.
> 
> Looking a bit more closely, I see that there is a specification that
> describes exactly what I'm looking for[1]. How widespread is OP support
> for the Signature Request Protocol?
> 
> 1: <http://openid.net/wiki/index.php/OpenID_HTTP_Authentication>
> 

I guess somewhere along the line those pages lost their "This is a draft 
proposal" indicators.

To answer your question, it's not there at all yet. :)

However, HTTP Authentication + Signature Request Protocol are my 
proposal for how to solve several non-browser authentication scenarios:

  * Service/application authenticates to endpoint as itself. (For 
example, to send a notification message via "Send a Message" protocol.)
  * Web-based service authenticates as the user. (For example, a 
web-based RSS aggregator collecting entries from a protected feed.)
  * Desktop application authenticates as the user. (Your example.)

As far as implementation goes, I'm imagining a single application 
running on the user's machine acting as a "proxy" of sorts for other 
applications to request authentication from. Where possible, this should 
integrate with the operating system's existing authentication APIs, 
though I've not yet investigated just how integrated it can get. :)

I've written more about this on my blog[1].

The main drawback of this approach is that it requires a change to 
OpenID Providers to support the signature request protocol, but to my 
mind the simplicity of just using HTTP-style authentication, thus 
allowing existing HTTP-based protocols such as AtomAPI to be used "for 
free", is worth it. Signature Request Protocol could potentially also be 
used with SASL auth and other such schemes in the future.


[1] http://www.apparently.me.uk/8317.html



More information about the general mailing list