[security] passing password on identification request?

[Anthony Brassac]

Hi all,
Sorry I'm not very knowledgeable on everything that's network related,
therefore I apologize if my question is stupid.
We're trying to implement a webservice that queries our system for which
users need identification. We would like to be able to send both the user's
open id url along with the password. There doesn't seem to be any such
mechanism in open id's specifications. Now even to a newby like me it seems
pretty unsafe to transfer a password in a get/post, but maybe someone came
up with a more secured way of doing such a thing?
Basically we'd like to achieve something that more or less looks like
www.myserver.com/myservice?action=myaction&user=myuser&password=mypassword,
and that would return the result of myaction based on the credentials of
myuser (identified by mypassword).
I tried to search around on various forums but couldn't really find anyone
with the same problem, it seems most people use open id with a web
interface, not so much from webservice calls like that. Obviously we'd like
to avoid this call to redirect users to a login page, since most of our
users will use it programmatically.
Thanks a lot and again sorry if that makes no sense,
Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091013/0fc1878d/attachment.htm>