[OpenID] Enable OpenID for IRC

Yonas googelly.eyes at gmail.com
Sat May 16 17:23:32 UTC 2009 

I had a long discussion with josephholsten on freenode.net/#openid about how
to enable OpenID for IRC.

The requirements were that the user should not need to leave his IRC client
to login, and not need to use his browser. The problem right now is that the
OP presents the login page for a browser. Without resorting to parsing the
form for login and password fields, we cannot login outside of a browser.

Joseph's recommendation was to enable OAuth on the OP. The OP can advertise
that it speaks OAuth, and the IRC client would login, and pass the OpenID
results to the IRC server. The login flow would be:

1. IRC Client: /openid register foobar at example.com mypassword
2. IRC Client sends message to IRC Server
   "I'd like to begin an openid login. The OP is example.com"

3. IRC server creates a OpenID Authentication Request for example.com
4. IRC server sends request URL to IRC client
5. IRC client confirms that example.com speaks OAuth via  WWW-Authenticate
Response Header, scheme=OAuth (http://www.ietf.org/rfc/rfc2617.txt)
6. IRC client authenticates via OAuth
7. Example.com sends back OpenID success response
8. IRC client sends OpenID success response to IRC Server
   "This is the response information"

9. IRC server uses this information to confirm/verifies that the login was
successful
10. IRC server now recognizes the user as foobar at example.com 
--------------------

The OpenID 2.0 spec says the OP --> end-user authentication method is out of
scope, "The OP establishes whether the end user is authorized to perform
OpenID Authentication and wishes to do so. The manner in which the end user
authenticates to their OP and any policies surrounding such authentication
is out of scope for this document. "

Here's my opinion:  

1. OpenID login should not require a web browser. 
  I feel very strongly about this, because we have a big effort for enabling
a single set of credentials on the Internet, but no standard way to
authenticate those credentials without a browser! For eg., if the auth
method did not require a browser, I could easily OpenID enable my favourite
FTP server. In fact, we could create a standard C/C++ library (or add to
libopkele) that would easily OpenID enable anything.

2. OpenID should incorporate 2-legged OAuth into the login method. 
   I did a little reading about SAML, OTP, etc, but I think OAuth
is....nice? :)  2-legged OAuth would be a very secure, portable, and
standard way to authenticate your OpenID. Sounds sexy, eh?

3. Using client certificates was brought up, but a password method must
exist as well.

Please let me know what you guys think. I'm really looking forward to seeing
OpenID enabled in services outside of the browser. 

Cheers!
Yonas

-- 
View this message in context: http://www.nabble.com/Enable-OpenID-for-IRC-tp23575937p23575937.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list