[OpenID] OpenID Exchange

Dick Hardt dick at sxip.com
Tue Jan 16 07:01:36 UTC 2007

Hi Martin, below I have described the exchange in my own words, would  
you clarify any misconceptions?

1) User navigates to Client site
2) Client site redirects user to Server site with request
3) Server asks user if it is ok for Client to call Server
4) user gives permission
5) Server redirects user to Client with one-time URL
6) Client sends message to Server at one-time URL


a) using the URL as the token is an interesting concept
a) the Server can interact with the user and have other access  
policies to the URL such as use for next 24 hours use once but within  
5 minutes etc.
c) this has nothing to do with OpenID. :) -- the user could  
authenticate to the server using any method.
d) requires the server to present a UX to the user

How am I doing on grocking?

-- Dick

On 15-Jan-07, at 11:07 AM, Martin Atkins wrote:

> Simon Willison wrote:
>> On 15 Jan 2007, at 08:08, Martin Atkins wrote:
>>> OpenID Exchange[1] is a protocol for doing arbitrary HTTP requests
>>> between two sites where the caller acts on behalf of the user and  
>>> the
>>> user gives that caller a one-time permission to perform the action.
>> So it's basically a spec for doing with OpenID the kind of things
>> that Flickr's authentication API does? i.e. a mechanism for letting a
>> third party application make API calls on your behalf without having
>> to give them your full authentication details?
>> http://flickr.com/services/api/auth.spec.html
> After having a quick look at that I'd say yes, it is very similar.
> They could in theory implement their "login link" thing over OpenID
> Exchange, and then proceed as normal with the returned "frob".
> However, I'm more interested in generic, multi-platform APIs that  
> allow
> a loosely-coupled client and server, however. The "Post to my Weblog"
> service is intended so that in theory any random site can post to any
> random weblog — regardless of weblog platform[1] — without  
> needing any
> pre-existing relationship nor any of this "API Key" nonsense.
> --------
> [1] Of course, the weblog platform will need to implement the "Post to
> my weblog" protocol!
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list