[OpenID] Using OpenID outside of the browser
Martin Atkins
mart at degeneration.co.uk
Mon Apr 30 17:56:26 UTC 2007
Brendan Taylor wrote:
>
> 1. Client makes a request
> 2. RP responds:
>
> 401 Unauthorized
> WWW-Authenticate: LazyOpenID realm="some realm" nonce_url="http://example.org/abcdef"
>
> 3. Client sends the user to nonce_url
> 4. User goes through the normal OpenID process
> 5. User tells the client he's authenticated
> 6. Client repeats the request with an additional header:
>
> Authenticate: LazyOpenID nonce_url="http://example.org/abcdef"
>
> 7. Request succeeds.
>
Surely in Step 6 the client needs to include some kind of token (i.e.
the signature) to prove that it has permission?
How about this, very slightly altered, approach?
* Client Makes Request
* RP responds in much the same way as in your example
* Client opens browser to the URL
* User goes through normal OpenID process
* The web-based bit then says "Copy and paste the following gibberish
into the dialog box that the client app opened: 02841yf19u3n49fj124"
* The client repeats the request with that gibberish token in the
Authenticate header, which matches up to some kind of "permission" token
on the server.
This is a bit lame from a UI perspective, but it seems that it could
work from a technical perspective.
This only helps the "desktop client authenticating as user" case, but I
understand that this is all you're trying to solve. :)
More information about the general
mailing list