[OpenID] Flash based authentication?

[Peter Serwylo]

G'day guys,

I've had a good browse around the web and this list, but cannot seem to
find much reference at all (other than a fleeting reference in
discussions about phishing or other security concerns) to using OpenID
from a flash client.

I work for a company developing web applications, and our new generation
of apps will be completely flash based (using the flex framework). The
login currently takes place from within a form in flash (not using
OpenID), but we really want to push the OpenID road.

The system we have does allow for the redirect dance to take place in
HTML authentication, and when we receive the go ahead from the OP, we
can load the flash application.
The problem is, when a session times out, we throw up a "Your session
has expired, please re-enter password to continue working" modal dialog
within flash. This is a must, because if someone is halfway through
filling out some almighty form, and they head off for a coffee while
their session times out, we want them to resume that session without
reloading the browser.

Is there any resources you can point me to which may help solve this
issue of authenticating from within flash? 

Untested ideas:

Embed an iframe in the flash movie (I understand this will be an issue,
not showing the address bar could become a security issue)

Perhaps popup a window and do the redirects in there, returning back to
the original page and then communicating to the flash player via the
JavaScript bridge. (Seems like if I was to redirect a couple of times, I
then loose the connection between the child window and the parent,
although the parent still seems to be able to talk to the child).


I understand that one of the goals of OpenID is to work with user agents
rather than HTML in browsers, but am not sure how much of this goal has
been realised yet.


Any help appreciated,
cheers,
Pete