<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:172916105;
mso-list-template-ids:-1997006680;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>The reason had to do with “closing
the loop” and trust boundaries. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>But I have my hands with two kids at the
moment, so the proper answer would have to wait for a few days.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> -Gabe<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> David Fuelling
[mailto:sappenin@gmail.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, May 05, 2007 10:22
AM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">Gabe
Wachob</st1:PersonName><br>
<b><span style='font-weight:bold'>Cc:</span></b> general@openid.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [OpenID] Using OpenID
outside of the browser</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Gabe, <br>
<br>
With regard to your "OpenId for Desktops" [1] proposal, why not
eliminate the localhost:9876 mechansim entirely. Instead, the desktop
client could (once it has initiated an authentication process) simply poll a
URL on the RP to see if the authentication succeeded. <br>
<br>
That way, you don't have to worry about localhost clients (and concerns
about port conflicts, NAT, etc), and we don't have to have a "click
this" button, nor do we need the user to do anything special (like
copy/paste this nonce into a new window). <br>
<br>
So, the process would go something like this (mainly only step 1 and 7-10 are
different from your blog post):<o:p></o:p></span></font></p>
<ol start=1 type=1>
<li class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>To initiate login, desktop client first does a
request to a server component (an RP) to associate the desktop client's
http session to the RP server component with an openid, and a nonce:<br>
<br>
GET on <strong><b><font face="Times New Roman"><a
href="http://servercomponent.com/client-auth?openid=me.openid.com&nonce=">http://servercomponent.com/client-auth?openid=me.openid.com&nonce=
</a><nonce></font></b></strong><o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>RP server component returns:<br>
<br>
<strong><b><font face="Times New Roman">302 relocated</font></b></strong><b><span
style='font-weight:bold'><br>
<strong><b><font face="Times New Roman">Location: <a
href="http://servercomponent.com/client-login/">http://servercomponent.com/client-login/</a><nonce>
</font></b></strong></span></b><br>
<br>
In generating this 302 response, the RP associates the nonce with desktop
client's HTTP session, and the openid requested by the desktop client.<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>The desktop client gets the 302 and does NOT
follow the redirect itself. Instead, it makes the local web browser (e.g.
python's webbrowser.open) go to<br>
<strong><b><font face="Times New Roman"><a
href="http://servercomponent.com/client-login/">http://servercomponent.com/client-login/</a><nonce></font></b></strong><br>
<br>
<em><i><font face="Times New Roman">Note: the desktop client and its HTTP
session are now associated (by the RP server component) with the user's
web browser session via the nonce.</font></i></em><o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>The RP server component looks up openid by nonce
and does openid discovery, returns a redirect to OP to the browser, with
return_to set to:<br>
<br>
<strong><b><font face="Times New Roman"><a
href="http://servercomponent.com/client-complete/">http://servercomponent.com/client-complete/</a><nonce></font></b></strong><o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>OpenID auth happens as normal (user browser goes
off to OP to authenticate) <o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>The user browser eventually returns to<br>
<br>
<strong><b><font face="Times New Roman"><a
href="http://servercomponent.com/client-complete/">http://servercomponent.com/client-complete/</a><nonce></font></b></strong><o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><strong><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:normal'>User sees a message from the
RP that he can now close his browser</span></font></b>.</strong><o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>User closes his browser (or
perhaps the client app closes it, via step 9).</span></font></b><o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Desktop client polls the URL <strong><b><font
face="Times New Roman"><a
href="http://servercomponent.com/client-complete/">http://servercomponent.com/client-complete/
</a><nonce></font></b></strong><b><span style='font-weight:bold'><br>
<strong><b><font face="Times New Roman"> every 15 seconds until that
page contains certain information (maybe hidden html fields? Maybe
an atom feed?) to let the desktop client know that the auth was succesful
or not. </font></b></strong></span></b>Of course, the server
component (on <a href="http://servercomponent.com">servercomponent.com</a>)
knows about the sucess or failure since it is a normal RP and has done
normal OpenID auth in step 5. The desktop client, in response to a
succesful poll can also try to close the browser window, or give the user
a friendly status message.<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Client app now has access to the RP server
component.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
[1] <a href="http://blog.wachob.com/2007/03/openid_for_desk.html">http://blog.wachob.com/2007/03/openid_for_desk.html</a><o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><span class=gmailquote><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>On 4/29/07, <st1:PersonName w:st="on"><b><span
style='font-weight:bold'>Gabe Wachob</span></b></st1:PersonName> <<a
href="mailto:gabe.wachob@amsoft.net">gabe.wachob@amsoft.net</a>> wrote:</span></font></span><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I'm not sure if what I discussed earlier on this list and on my blog
matches<br>
your requirements, but you might find it of interest:<br>
<br>
<a href="http://blog.wachob.com/2007/03/openid_for_desk.html">http://blog.wachob.com/2007/03/openid_for_desk.html
</a><br>
<br>
-Gabe<br>
<br>
> -----Original Message-----<br>
> From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net </a>]
On<br>
> Behalf Of Brendan Taylor<br>
> Sent: Sunday, April 29, 2007 5:16 PM<br>
> To: <a href="mailto:general@openid.net">general@openid.net</a><br>
> Subject: [OpenID] Using OpenID outside of the browser<br>
><br>
> I've written a web-based Atom Publishing Protocol client[1] that uses<br>
> OpenID for identifying users. It seems to me that since I have a user's<br>
> OpenID anyways, it makes sense to include it when publishing an entry; <br>
> the problem is that while the client knows the user controls that URL,<br>
> there is no way (that I know of) for the client to prove that to another<br>
> server.<br>
><br>
> A more general case: I would like to let people comment on my blog using <br>
> the Atom Publishing Protocol. I would also like to use and verify their<br>
> OpenIDs for identification. But most APP clients aren't going to be part<br>
> of a browser, and so the login-redirect-set cookie dance seems out of <br>
> place.<br>
><br>
> What's the best way to marry OpenID and non-browser clients?<br>
><br>
> 1: <<a href="http://necronomicorp.com/pushpin">http://necronomicorp.com/pushpin</a>><br>
<br>
_______________________________________________ <br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
</body>
</html>