[OpenID] Using OpenID outside of the browser
Gabe Wachob
gabe.wachob at amsoft.net
Mon Apr 30 18:07:01 UTC 2007
I'm a bit confused how this differs from what I proposed at [1], except the
requirement of using a WWW_Authenticate header instead of leaving it up to
the desktop app and server-side component.
I get the sense there's a core idea here that we're all circling around, but
not using the same words to describe... basically it's the association of a
client-server 'session' (via a token - either a cookie or www-authenticate
header) with an browser HTTP session that has been OpenID-authenticated.
This association is performed either with HTTP on the desktop (in my
proposal) or via cut-n-paste of a token (in the proposal described in the
email below). I think those are just variations on a theme, if I'm
understanding what's being discussed.
-Gabe
[1] http://blog.wachob.com/2007/03/openid_for_desk.html
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Martin Atkins
> Sent: Monday, April 30, 2007 10:56 AM
> To: general at openid.net
> Subject: Re: [OpenID] Using OpenID outside of the browser
>
> Brendan Taylor wrote:
> >
> > 1. Client makes a request
> > 2. RP responds:
> >
> > 401 Unauthorized
> > WWW-Authenticate: LazyOpenID realm="some realm"
> nonce_url="http://example.org/abcdef"
> >
> > 3. Client sends the user to nonce_url
> > 4. User goes through the normal OpenID process
> > 5. User tells the client he's authenticated
> > 6. Client repeats the request with an additional header:
> >
> > Authenticate: LazyOpenID nonce_url="http://example.org/abcdef"
> >
> > 7. Request succeeds.
> >
>
> Surely in Step 6 the client needs to include some kind of token (i.e.
> the signature) to prove that it has permission?
>
> How about this, very slightly altered, approach?
>
> * Client Makes Request
> * RP responds in much the same way as in your example
> * Client opens browser to the URL
> * User goes through normal OpenID process
> * The web-based bit then says "Copy and paste the following gibberish
> into the dialog box that the client app opened: 02841yf19u3n49fj124"
> * The client repeats the request with that gibberish token in the
> Authenticate header, which matches up to some kind of "permission" token
> on the server.
>
> This is a bit lame from a UI perspective, but it seems that it could
> work from a technical perspective.
>
> This only helps the "desktop client authenticating as user" case, but I
> understand that this is all you're trying to solve. :)
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list