[OpenID] Using OpenID outside of the browser

Rafeeq Rehman rafeeq.rehman at gmail.com
Wed May 2 02:30:57 UTC 2007 

Can a "web service" be an option? This way a client does not need to open a
browser and can complete the authentication process using a web service
consumer (proxy) if it makes any sense.

Rafeeq Rehman  

This message and any attachments contain confidential information intended
for a specific individual, a specific purpose, and is protected by law. It
can't be used or forwarded to anyone for any other purpose. - If you are not
the intended recipient, you should delete this message and are hereby
notified that any disclosure, copying, or distribution of this message, or
the taking of any action based on it, is strictly prohibited.
 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Martin Atkins
Sent: Monday, April 30, 2007 1:56 PM
To: general at openid.net
Subject: Re: [OpenID] Using OpenID outside of the browser

Brendan Taylor wrote:
> 
> 1. Client makes a request
> 2. RP responds:
> 
>   401 Unauthorized
>   WWW-Authenticate: LazyOpenID realm="some realm"
nonce_url="http://example.org/abcdef"
> 
> 3. Client sends the user to nonce_url
> 4. User goes through the normal OpenID process
> 5. User tells the client he's authenticated
> 6. Client repeats the request with an additional header:
> 
>   Authenticate: LazyOpenID nonce_url="http://example.org/abcdef"
> 
> 7. Request succeeds.
> 

Surely in Step 6 the client needs to include some kind of token (i.e. 
the signature) to prove that it has permission?

How about this, very slightly altered, approach?

  * Client Makes Request
  * RP responds in much the same way as in your example
  * Client opens browser to the URL
  * User goes through normal OpenID process
  * The web-based bit then says "Copy and paste the following gibberish 
into the dialog box that the client app opened: 02841yf19u3n49fj124"
  * The client repeats the request with that gibberish token in the 
Authenticate header, which matches up to some kind of "permission" token 
on the server.

This is a bit lame from a UI perspective, but it seems that it could 
work from a technical perspective.

This only helps the "desktop client authenticating as user" case, but I 
understand that this is all you're trying to solve. :)

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list