[OpenID] Using OpenID outside of the browser
Brendan Taylor
whateley at gmail.com
Mon Apr 30 13:55:41 UTC 2007
On Mon, Apr 30, 2007 at 08:25:25AM +0100, Martin Atkins wrote:
> Brendan Taylor wrote:
> > Looking a bit more closely, I see that there is a specification that
> > describes exactly what I'm looking for[1]. How widespread is OP support
> > for the Signature Request Protocol?
> >
> > 1: <http://openid.net/wiki/index.php/OpenID_HTTP_Authentication>
>
> I guess somewhere along the line those pages lost their "This is a draft
> proposal" indicators.
>
> To answer your question, it's not there at all yet. :)
Ah. I was afraid that was the answer.
So given that clients and RPs need to need to implement something new
anyways, but we can't depend on anything special at the OP, I'm looking
at an extension of Gabe's procedure:
1. Client makes a request
2. RP responds:
401 Unauthorized
WWW-Authenticate: LazyOpenID realm="some realm" nonce_url="http://example.org/abcdef"
3. Client sends the user to nonce_url
4. User goes through the normal OpenID process
5. User tells the client he's authenticated
6. Client repeats the request with an additional header:
Authenticate: LazyOpenID nonce_url="http://example.org/abcdef"
7. Request succeeds.
I don't like this solution. I would much prefer to use OpenID HTTP
Authentication, but in its absence is this worth persuing? (with a
proper specification, etc.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070430/87b8d139/attachment-0002.pgp>
More information about the general
mailing list