[OpenID] Enable OpenID for IRC

Yonas googelly.eyes at gmail.com
Mon May 18 10:06:38 UTC 2009 

Btw, why was your message base64 encoded?

http://openid.net/pipermail/general/2009-May/008824.html


Luke Shepard wrote:
> 
> Agree with Chris mostly. Under what circumstances do you typically use IRC
> without access to a browser?
> 
> I use a desktop client, which could easily launch a browser popup from
> within the app.
> 
> I also sometimes use it via terminal. For that environment, we could use a
> text-only browser like lynx to achieve the same security. Perhaps we could
> support a new mode "textonly" for the new UX extension (currently it
> supports only "popup" but was intended to expand)
> 
> ________________________________
> From: general-bounces at openid.net <general-bounces at openid.net>
> To: Yonas <googelly.eyes at gmail.com>
> Cc: general at openid.net <general at openid.net>
> Sent: Sun May 17 17:05:04 2009
> Subject: Re: [OpenID] Enable OpenID for IRC
> 
> The solution would be to use OAuth, but I don't see how you escape the
> browser requirement in the case of IRC because IRC itself is not all that
> secure.
> 
> Furthermore, you shouldn't really be sending OpenID credentials over an
> IRC channel... that seems akin to the password anti-pattern where someone
> could easily intercept the transmission of data between you and the OP.
> 
> You would need to manage authentication out of band some other way...
> 
> Consider the work on OAuth over XMPP:
> 
> https://stpeter.im/index.php/2008/07/23/quick-oauth-notes/
> http://xmpp.org/extensions/xep-0235.html
> 
> Also, I proposed a PIN approach for low-value OpenID transaction where all
> you want to do is get identity:
> 
> http://factoryjoe.com/blog/2008/10/30/lightweight-access-pins-a-modest-proposal-for-enabling-openid-in-desktop-and-mobile-apps/
> 
> I can't say that my proposal is ideal either, but it would enable the kind
> of authentication that you've described without sacrificing your primary
> credentials.
> 
> I'm sympathetic to the idea of being able to just authenticate with a
> username/password and still get the benefits of OpenID, but that's just
> not realistic (AFAIC).
> 
> Chris
> 
> On Sat, May 16, 2009 at 10:23 AM, Yonas
> <googelly.eyes at gmail.com<mailto:googelly.eyes at gmail.com>> wrote:
> 
> I had a long discussion with josephholsten on
> freenode.net/#openid<http://freenode.net/#openid> about how
> to enable OpenID for IRC.
> 
> The requirements were that the user should not need to leave his IRC
> client
> to login, and not need to use his browser. The problem right now is that
> the
> OP presents the login page for a browser. Without resorting to parsing the
> form for login and password fields, we cannot login outside of a browser.
> 
> Joseph's recommendation was to enable OAuth on the OP. The OP can
> advertise
> that it speaks OAuth, and the IRC client would login, and pass the OpenID
> results to the IRC server. The login flow would be:
> 
> 1. IRC Client: /openid register
> foobar at example.com<mailto:foobar at example.com> mypassword
> 2. IRC Client sends message to IRC Server
>   "I'd like to begin an openid login. The OP is
> example.com<http://example.com>"
> 
> 3. IRC server creates a OpenID Authentication Request for
> example.com<http://example.com>
> 4. IRC server sends request URL to IRC client
> 5. IRC client confirms that example.com<http://example.com> speaks OAuth
> via  WWW-Authenticate
> Response Header, scheme=OAuth (http://www.ietf.org/rfc/rfc2617.txt)
> 6. IRC client authenticates via OAuth
> 7. Example.com sends back OpenID success response
> 8. IRC client sends OpenID success response to IRC Server
>   "This is the response information"
> 
> 9. IRC server uses this information to confirm/verifies that the login was
> successful
> 10. IRC server now recognizes the user as
> foobar at example.com<mailto:foobar at example.com>
> --------------------
> 
> The OpenID 2.0 spec says the OP --> end-user authentication method is out
> of
> scope, "The OP establishes whether the end user is authorized to perform
> OpenID Authentication and wishes to do so. The manner in which the end
> user
> authenticates to their OP and any policies surrounding such authentication
> is out of scope for this document. "
> 
> Here's my opinion:
> 
> 1. OpenID login should not require a web browser.
>  I feel very strongly about this, because we have a big effort for
> enabling
> a single set of credentials on the Internet, but no standard way to
> authenticate those credentials without a browser! For eg., if the auth
> method did not require a browser, I could easily OpenID enable my
> favourite
> FTP server. In fact, we could create a standard C/C++ library (or add to
> libopkele) that would easily OpenID enable anything.
> 
> 2. OpenID should incorporate 2-legged OAuth into the login method.
>   I did a little reading about SAML, OTP, etc, but I think OAuth
> is....nice? :)  2-legged OAuth would be a very secure, portable, and
> standard way to authenticate your OpenID. Sounds sexy, eh?
> 
> 3. Using client certificates was brought up, but a password method must
> exist as well.
> 
> Please let me know what you guys think. I'm really looking forward to
> seeing
> OpenID enabled in services outside of the browser.
> 
> Cheers!
> Yonas
> 
> --
> View this message in context:
> http://www.nabble.com/Enable-OpenID-for-IRC-tp23575937p23575937.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
> 
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
> 
> 
> 
> --
> Chris Messina
> Open Web Advocate
> 
> factoryjoe.com<http://factoryjoe.com> //
> diso-project.org<http://diso-project.org> // openid.net<http://openid.net>
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> 
>  
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 

-- 
View this message in context: http://www.nabble.com/Enable-OpenID-for-IRC-tp23575937p23594604.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list