[OpenID] Enable OpenID for IRC

Chris Messina chris.messina at gmail.com
Mon May 18 00:05:04 UTC 2009 

The solution would be to use OAuth, but I don't see how you escape the
browser requirement in the case of IRC because IRC itself is not all that
secure.
Furthermore, you shouldn't really be sending OpenID credentials over an IRC
channel... that seems akin to the password anti-pattern where someone could
easily intercept the transmission of data between you and the OP.

You would need to manage authentication out of band some other way...

Consider the work on OAuth over XMPP:

https://stpeter.im/index.php/2008/07/23/quick-oauth-notes/
http://xmpp.org/extensions/xep-0235.html

Also, I proposed a PIN approach for low-value OpenID transaction where all
you want to do is get identity:

http://factoryjoe.com/blog/2008/10/30/lightweight-access-pins-a-modest-proposal-for-enabling-openid-in-desktop-and-mobile-apps/

I can't say that my proposal is ideal either, but it would enable the kind
of authentication that you've described without sacrificing your primary
credentials.

I'm sympathetic to the idea of being able to just authenticate with a
username/password and still get the benefits of OpenID, but that's just not
realistic (AFAIC).

Chris

On Sat, May 16, 2009 at 10:23 AM, Yonas <googelly.eyes at gmail.com> wrote:

>
> I had a long discussion with josephholsten on freenode.net/#openid about
> how
> to enable OpenID for IRC.
>
> The requirements were that the user should not need to leave his IRC client
> to login, and not need to use his browser. The problem right now is that
> the
> OP presents the login page for a browser. Without resorting to parsing the
> form for login and password fields, we cannot login outside of a browser.
>
> Joseph's recommendation was to enable OAuth on the OP. The OP can advertise
> that it speaks OAuth, and the IRC client would login, and pass the OpenID
> results to the IRC server. The login flow would be:
>
> 1. IRC Client: /openid register foobar at example.com mypassword
> 2. IRC Client sends message to IRC Server
>   "I'd like to begin an openid login. The OP is example.com"
>
> 3. IRC server creates a OpenID Authentication Request for example.com
> 4. IRC server sends request URL to IRC client
> 5. IRC client confirms that example.com speaks OAuth via  WWW-Authenticate
> Response Header, scheme=OAuth (http://www.ietf.org/rfc/rfc2617.txt)
> 6. IRC client authenticates via OAuth
> 7. Example.com sends back OpenID success response
> 8. IRC client sends OpenID success response to IRC Server
>   "This is the response information"
>
> 9. IRC server uses this information to confirm/verifies that the login was
> successful
> 10. IRC server now recognizes the user as foobar at example.com
> --------------------
>
> The OpenID 2.0 spec says the OP --> end-user authentication method is out
> of
> scope, "The OP establishes whether the end user is authorized to perform
> OpenID Authentication and wishes to do so. The manner in which the end user
> authenticates to their OP and any policies surrounding such authentication
> is out of scope for this document. "
>
> Here's my opinion:
>
> 1. OpenID login should not require a web browser.
>  I feel very strongly about this, because we have a big effort for enabling
> a single set of credentials on the Internet, but no standard way to
> authenticate those credentials without a browser! For eg., if the auth
> method did not require a browser, I could easily OpenID enable my favourite
> FTP server. In fact, we could create a standard C/C++ library (or add to
> libopkele) that would easily OpenID enable anything.
>
> 2. OpenID should incorporate 2-legged OAuth into the login method.
>   I did a little reading about SAML, OTP, etc, but I think OAuth
> is....nice? :)  2-legged OAuth would be a very secure, portable, and
> standard way to authenticate your OpenID. Sounds sexy, eh?
>
> 3. Using client certificates was brought up, but a password method must
> exist as well.
>
> Please let me know what you guys think. I'm really looking forward to
> seeing
> OpenID enabled in services outside of the browser.
>
> Cheers!
> Yonas
>
> --
> View this message in context:
> http://www.nabble.com/Enable-OpenID-for-IRC-tp23575937p23575937.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
Chris Messina
Open Web Advocate

factoryjoe.com // diso-project.org // openid.net
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090517/56c031ef/attachment.htm>

More information about the general mailing list