[security] passing password on identification request?

John Bradley ve7jtb at ve7jtb.com
Tue Oct 13 17:19:18 UTC 2009 

Your question makes sense.

Users giving there passwords to RPs is what openID is trying to prevent.
That is why passwords are not supported in the redirect.

If you are trying to do authentication in an app then oAuth may be a  
better choice for web services.

I don't know enough about your use case to give you a firm  
recommendation, other than openID may not be appropriate.

John B.
On 2009-10-13, at 1:07 PM, Anthony Brassac wrote:

> Hi all,
> Sorry I'm not very knowledgeable on everything that's network  
> related, therefore I apologize if my question is stupid.
> We're trying to implement a webservice that queries our system for  
> which users need identification. We would like to be able to send  
> both the user's open id url along with the password. There doesn't  
> seem to be any such mechanism in open id's specifications. Now even  
> to a newby like me it seems pretty unsafe to transfer a password in  
> a get/post, but maybe someone came up with a more secured way of  
> doing such a thing?
> Basically we'd like to achieve something that more or less looks  
> like www.myserver.com/myservice?action=myaction&user=myuser&password=mypassword 
> , and that would return the result of myaction based on the  
> credentials of myuser (identified by mypassword).
> I tried to search around on various forums but couldn't really find  
> anyone with the same problem, it seems most people use open id with  
> a web interface, not so much from webservice calls like that.  
> Obviously we'd like to avoid this call to redirect users to a login  
> page, since most of our users will use it programmatically.
> Thanks a lot and again sorry if that makes no sense,
> Anthony
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091013/ab36d08d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091013/ab36d08d/attachment.bin>

More information about the security mailing list