[OpenID] Using OpenID outside of the browser
Brendan Taylor
whateley at gmail.com
Sat May 5 18:34:59 UTC 2007
On Sat, May 05, 2007 at 11:22:26AM -0600, David Fuelling wrote:
> 9. Desktop client polls the URL *
> http://servercomponent.com/client-complete/<nonce>
> every 15 seconds until that page contains certain information (maybe
> hidden html fields? Maybe an atom feed?) to let the desktop client know
> that the auth was succesful or not. *Of course, the server component
> (on servercomponent.com) knows about the sucess or failure since it is
> a normal RP and has done normal OpenID auth in step 5. The desktop client,
> in response to a succesful poll can also try to close the browser window,
> or
> give the user a friendly status message.
I like this idea*, it's much more firewall- and user-friendly then the
others proposed so far. I see a problem, though:
If an eavesdropper gets the original nonce URL, he can poll the
client-complete URL more often than the actual client, find out the
authorization was successful before it and make his own request.
Now that I think of it, all the methods that have been proposed have
this race condition.
* although I still don't like using a redirect in the server's initial
response. The information passed in the redirect belongs in a
WWW-Authenticate header.
--
<http://necronomicorp.com/bct>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070505/c20d81e6/attachment-0002.pgp>
More information about the general
mailing list