[OpenID] An OpenID "mobile" Hint?
Hans Granqvist
hans at granqvist.com
Wed Jun 4 21:34:59 UTC 2008
It makes sense (though the YubiKey is a mechanism, not a provider), but
it's a bit dangerous since security decisions on the RP based on the
User-Agent's self-issued origin/type are quite tricky.
An attacker would pick the easiest mechanism if there is a choice, too.
Regardless, the XRDS file could map accepted authentication
mechanism(s) to each URL as a simple attribute.
Hans
On Wed, Jun 4, 2008 at 2:08 PM, David Recordon <drecordon at sixapart.com> wrote:
> In developing a mobile application that uses OpenID for logins one of
> the things I've become really cognizant of is how poor of the mobile
> experience most Providers have when it comes to OpenID. It obviously
> doesn't take a lot to create a streamlined Provider flow for
> authentication and the trust request, but so far it seems that no one
> has really done that. I was also thinking more about Providers such
> as YubiKey where authenticating with a USB device (despite how awesome
> it is) won't work on my iPhone.
>
> I'm wondering if it would be useful to write a dead simple extension
> to provide some hints around mobile support? Allow a Provider to
> advertise in an XRDS file that they support a mobile login flow so
> that Relying Parties could discover that theoretically making it so
> that I could use a Provider such as YubiKey on the desktop and then
> MyOpenID on the phone.
>
> Am I barking up a useful tree? If I spec'd this would any Providers
> actually implement a mobile friendly flow?
>
> --David
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list