[OpenID] Using OpenID outside of the browser

[Martin Atkins]

Gabe Wachob wrote:
> I'm a bit confused how this differs from what I proposed at [1], except the
> requirement of using a WWW_Authenticate header instead of leaving it up to
> the desktop app and server-side component. 
> 
> I get the sense there's a core idea here that we're all circling around, but
> not using the same words to describe... basically it's the association of a
> client-server 'session' (via a token - either a cookie or www-authenticate
> header) with an browser HTTP session that has been OpenID-authenticated.
> This association is performed either with HTTP on the desktop (in my
> proposal) or via cut-n-paste of a token (in the proposal described in the
> email below). I think those are just variations on a theme, if I'm
> understanding what's being discussed. 
> 

It seems that when I scanned through your proposal this morning I 
misunderstood what was going on. I had it in my head that the client app 
was communicating directly with the OP.

Having pondered this a bit,  I understand what I missed in Brendan's 
proposal. I guess his "abcdef" is an identifier for the request, so that 
when it's repeated later the server can match that with the fact that an 
authentication request succeeded at that URL.

I think having a button to press when authentication succeeds is 
preferable to requiring the client to open a listen port, since that can 
be troublesome for people who use NAT and for people on networks they do 
not control, such as university/company networks.

I think a solution that does not require a browser would be nicest, but 
I'm willing to concede that getting OPs to support something like 
Signature Request Protocol would be tricky and that this approach is 
much easier to bootstrap.