<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Troy Benjegerdes wrote:
<blockquote cite="mid:20070321021746.GV27026@narn.hozed.org" type="cite">
<pre wrap="">On Tue, Mar 20, 2007 at 06:36:26PM -0700, Gabe Wachob wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I blogged an idea that I implemented to allow a user to authenticate to a
desktop client for a "network app" (think of an IM client) - the idea is to
present an openid to a desktop client and then have it, in concert with the
server-side component of the app, use normal OpenID authentication through
the user's browser to authenticate the user to both the server side and to
the desktop client:
<a class="moz-txt-link-freetext" href="http://blog.wachob.com/2007/03/openid_for_desk.html">http://blog.wachob.com/2007/03/openid_for_desk.html</a>
I have a basic implementation - looking for holes in the idea. Probably not
a novel idea, but I didn't recall seeing any write-up or implementation of
this anywhere.
</pre>
</blockquote>
<pre wrap=""><!---->I guess I don't understand why you'd want to do this.... OpenID seems
very http-centric, and if you are talking about desktop apps, you would
be better served by something like SASL, or the kind of stuff that
happens under the hood in an MS active directory domain with Kerberos.
What I like is having several computers that can all authenticate to a
kerberos server and get access to my files and home directory.. this
covers the desktop side. What's missing for me is being able to
automagically be logged into my openid server once I am logged into my
desktop environment.
</pre>
</blockquote>
Which is <i>exactly</i> what you can do with OpenSSO
(<a class="moz-txt-link-freetext" href="https://opensso.dev.java.net/">https://opensso.dev.java.net/</a>) and its new OP extension
(<a class="moz-txt-link-freetext" href="https://opensso.dev.java.net/source/browse/opensso/extensions/openid/README?view=markup">https://opensso.dev.java.net/source/browse/opensso/extensions/openid/README?view=markup</a>).
Just configure OpenSSO for Windows Desktop SSO authentication (i.e.
SPNEGO/Kerberos - it also works with Solaris, Linux & Mac, but
Windows is the most common use case) and OpenID.<br>
<br>
When an RP redirects the browser to the OP, the OP will do SPNEGO,
soliciting a Kerberos token from the desktop OS via the browser,
silently authenticating the user and sending them back to the RP.<br>
<blockquote cite="mid:20070321021746.GV27026@narn.hozed.org" type="cite">
<pre wrap="">Or let's take the case of a mac user.. They log into their macbook,
which unlocks the OSX Keychain, which handles most OSX applications
nicely. The keychain should then know something about coordinating with
the browser to be able to auto-fill in openid web forms.
</pre>
</blockquote>
Client certificate authentication would work also.<br>
<blockquote cite="mid:20070321021746.GV27026@narn.hozed.org" type="cite">
<pre wrap="">I guess the point I'm trying to make is that while you want an
integrated single sign-on environment that openid is part of, extending
it to the desktop seems like putting a square peg in a round hole,
especially since there are so many other solutions on the desktop.
</pre>
</blockquote>
Agreed.<br>
<br>
Cheers,<br>
<br>
Pat<br>
<blockquote cite="mid:20070321021746.GV27026@narn.hozed.org" type="cite">
<pre wrap="">_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Pat Patterson - <a class="moz-txt-link-abbreviated" href="mailto:pat.patterson@sun.com">pat.patterson@sun.com</a>
Federation Architect,
Sun Microsystems, Inc.
<a class="moz-txt-link-freetext" href="http://blogs.sun.com/superpat">http://blogs.sun.com/superpat</a>
</pre>
</body>
</html>