[OpenID] Using OpenID outside of the browser
Brendan Taylor
whateley at gmail.com
Tue May 1 02:17:23 UTC 2007
On Mon, Apr 30, 2007 at 07:25:53PM +0100, Martin Atkins wrote:
> Having pondered this a bit, I understand what I missed in Brendan's
> proposal. I guess his "abcdef" is an identifier for the request, so that
> when it's repeated later the server can match that with the fact that an
> authentication request succeeded at that URL.
Yes, it's the same as Gabe's nonce. I didn't make that very clear,
sorry.
The process I outlined is identical to Gabe's except that it doesn't
rely on the client knowing beforehand what kind of authentication to
expect, and the client doesn't listen. It's ugly, but it should work.
> I think having a button to press when authentication succeeds is
> preferable to requiring the client to open a listen port, since that can
> be troublesome for people who use NAT and for people on networks they do
> not control, such as university/company networks.
This is my thought too.
When I get some time I intend to describe this idea more concretely and
implement it. I don't want it to get in the way of SRP adoption, though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070430/f001d4e5/attachment-0002.pgp>
More information about the general
mailing list