[OpenID] OpenID for desktop network clients
Andrew.Patterson at Sun.COM
Tue Mar 20 19:45:14 PDT 2007
Troy Benjegerdes wrote:
> On Tue, Mar 20, 2007 at 06:36:26PM -0700, Gabe Wachob wrote:
>> I blogged an idea that I implemented to allow a user to authenticate to a
>> desktop client for a "network app" (think of an IM client) - the idea is to
>> present an openid to a desktop client and then have it, in concert with the
>> server-side component of the app, use normal OpenID authentication through
>> the user's browser to authenticate the user to both the server side and to
>> the desktop client:
>> I have a basic implementation - looking for holes in the idea. Probably not
>> a novel idea, but I didn't recall seeing any write-up or implementation of
>> this anywhere.
> I guess I don't understand why you'd want to do this.... OpenID seems
> very http-centric, and if you are talking about desktop apps, you would
> be better served by something like SASL, or the kind of stuff that
> happens under the hood in an MS active directory domain with Kerberos.
> What I like is having several computers that can all authenticate to a
> kerberos server and get access to my files and home directory.. this
> covers the desktop side. What's missing for me is being able to
> automagically be logged into my openid server once I am logged into my
> desktop environment.
Which is /exactly/ what you can do with OpenSSO
(https://opensso.dev.java.net/) and its new OP extension
Just configure OpenSSO for Windows Desktop SSO authentication (i.e.
SPNEGO/Kerberos - it also works with Solaris, Linux & Mac, but Windows
is the most common use case) and OpenID.
When an RP redirects the browser to the OP, the OP will do SPNEGO,
soliciting a Kerberos token from the desktop OS via the browser,
silently authenticating the user and sending them back to the RP.
> Or let's take the case of a mac user.. They log into their macbook,
> which unlocks the OSX Keychain, which handles most OSX applications
> nicely. The keychain should then know something about coordinating with
> the browser to be able to auto-fill in openid web forms.
Client certificate authentication would work also.
> I guess the point I'm trying to make is that while you want an
> integrated single sign-on environment that openid is part of, extending
> it to the desktop seems like putting a square peg in a round hole,
> especially since there are so many other solutions on the desktop.
> general mailing list
> general at openid.net
Pat Patterson - pat.patterson at sun.com
Sun Microsystems, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general