[OpenID] Enable OpenID for IRC

Luke Shepard lshepard at facebook.com
Mon May 18 00:13:57 UTC 2009 

Agree with Chris mostly. Under what circumstances do you typically use IRC without access to a browser?

I use a desktop client, which could easily launch a browser popup from within the app.

I also sometimes use it via terminal. For that environment, we could use a text-only browser like lynx to achieve the same security. Perhaps we could support a new mode "textonly" for the new UX extension (currently it supports only "popup" but was intended to expand)

________________________________
From: general-bounces at openid.net <general-bounces at openid.net>
To: Yonas <googelly.eyes at gmail.com>
Cc: general at openid.net <general at openid.net>
Sent: Sun May 17 17:05:04 2009
Subject: Re: [OpenID] Enable OpenID for IRC

The solution would be to use OAuth, but I don't see how you escape the browser requirement in the case of IRC because IRC itself is not all that secure.

Furthermore, you shouldn't really be sending OpenID credentials over an IRC channel... that seems akin to the password anti-pattern where someone could easily intercept the transmission of data between you and the OP.

You would need to manage authentication out of band some other way...

Consider the work on OAuth over XMPP:

https://stpeter.im/index.php/2008/07/23/quick-oauth-notes/
http://xmpp.org/extensions/xep-0235.html

Also, I proposed a PIN approach for low-value OpenID transaction where all you want to do is get identity:

http://factoryjoe.com/blog/2008/10/30/lightweight-access-pins-a-modest-proposal-for-enabling-openid-in-desktop-and-mobile-apps/

I can't say that my proposal is ideal either, but it would enable the kind of authentication that you've described without sacrificing your primary credentials.

I'm sympathetic to the idea of being able to just authenticate with a username/password and still get the benefits of OpenID, but that's just not realistic (AFAIC).

Chris

On Sat, May 16, 2009 at 10:23 AM, Yonas <googelly.eyes at gmail.com<mailto:googelly.eyes at gmail.com>> wrote:

I had a long discussion with josephholsten on freenode.net/#openid<http://freenode.net/#openid> about how
to enable OpenID for IRC.

The requirements were that the user should not need to leave his IRC client
to login, and not need to use his browser. The problem right now is that the
OP presents the login page for a browser. Without resorting to parsing the
form for login and password fields, we cannot login outside of a browser.

Joseph's recommendation was to enable OAuth on the OP. The OP can advertise
that it speaks OAuth, and the IRC client would login, and pass the OpenID
results to the IRC server. The login flow would be:

1. IRC Client: /openid register foobar at example.com<mailto:foobar at example.com> mypassword
2. IRC Client sends message to IRC Server
  "I'd like to begin an openid login. The OP is example.com<http://example.com>"

3. IRC server creates a OpenID Authentication Request for example.com<http://example.com>
4. IRC server sends request URL to IRC client
5. IRC client confirms that example.com<http://example.com> speaks OAuth via  WWW-Authenticate
Response Header, scheme=OAuth (http://www.ietf.org/rfc/rfc2617.txt)
6. IRC client authenticates via OAuth
7. Example.com sends back OpenID success response
8. IRC client sends OpenID success response to IRC Server
  "This is the response information"

9. IRC server uses this information to confirm/verifies that the login was
successful
10. IRC server now recognizes the user as foobar at example.com<mailto:foobar at example.com>
--------------------

The OpenID 2.0 spec says the OP --> end-user authentication method is out of
scope, "The OP establishes whether the end user is authorized to perform
OpenID Authentication and wishes to do so. The manner in which the end user
authenticates to their OP and any policies surrounding such authentication
is out of scope for this document. "

Here's my opinion:

1. OpenID login should not require a web browser.
 I feel very strongly about this, because we have a big effort for enabling
a single set of credentials on the Internet, but no standard way to
authenticate those credentials without a browser! For eg., if the auth
method did not require a browser, I could easily OpenID enable my favourite
FTP server. In fact, we could create a standard C/C++ library (or add to
libopkele) that would easily OpenID enable anything.

2. OpenID should incorporate 2-legged OAuth into the login method.
  I did a little reading about SAML, OTP, etc, but I think OAuth
is....nice? :)  2-legged OAuth would be a very secure, portable, and
standard way to authenticate your OpenID. Sounds sexy, eh?

3. Using client certificates was brought up, but a password method must
exist as well.

Please let me know what you guys think. I'm really looking forward to seeing
OpenID enabled in services outside of the browser.

Cheers!
Yonas

--
View this message in context: http://www.nabble.com/Enable-OpenID-for-IRC-tp23575937p23575937.html
Sent from the OpenID - General mailing list archive at Nabble.com.

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



--
Chris Messina
Open Web Advocate

factoryjoe.com<http://factoryjoe.com> // diso-project.org<http://diso-project.org> // openid.net<http://openid.net>
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 9591 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090517/637e97c2/attachment-0002.bin>

More information about the general mailing list