[OpenID] OpenID Exchange

Martin Atkins mart at degeneration.co.uk
Wed Jan 17 08:03:09 UTC 2007

John Panzer wrote:
> John Panzer wrote:
>> ...
>> I can't find the reference for OpenID Exchange, though -- is there
> Sorry for the spastic email.  But I do have a followup regarding the 
> reference:
> http://openid.net/wiki/index.php/OpenID_Exchange_1.0
>> Some servers/frameworks do not allow applications access to the 
>> Authorization header
> I hope there are no frameworks which block access to Authorization; but 
> if there are servers, or environments, which want to lock down 
> authentication/authorization, how would the server administrators react 
> to a protocol which tunnels around that block?  Or is this a case where 
> the default setting blocks access to the header for some reason?

That is mainly referring to the fact that CGI scripts under Apache don't 
have any access to that header. This is much the same reason why WSSE 
authentication was developed.

 > > [1] Of course, the weblog platform will need to implement the "Post
 > > to my weblog" protocol!
 > There is such a protocol, which currently relies on HTTP
 > authentication schemes because there's nothing both open and standard
 > sitting out there to use:
 > [reference to AtomPub protocol]
 > Perhaps this is simply a matter of filling in the gaps?

I already specced out a rough draft protocol for this here:

(I should probably have linked to that by now. Sorry!)

You will note that I'm already borrowing quite heavily from the POST 
method in the AtomPub API. :)

Of course, the only implementation of this so far is my half-finished 
endpoint implementation for LiveJournal, which re-uses parts of their 
AtomAPI implementation. My existing demo just used a very simple 
protocol based on application/www-form-urlencoded for simplicity's sake.

More information about the general mailing list