[security] passing password on identification request?
Anthony Brassac
a.brassac2 at gmail.com
Mon Oct 19 15:28:39 UTC 2009
But no matter what, even with oAuth I will need to log in using a web
browser at some point in order to get that key/secret combination, won't i?
Unless there are providers that offer programmatic log in?
I have a feeling we are going to end up having to write something ourselves
:S
On Thu, Oct 15, 2009 at 11:54 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> You can have the user authenticate to the oAuth provider via openID if it
> is a condition of the grant:)
> That may be the best way to do it anyway depending on how the app is
> configured.
>
> John B.
>
> On 2009-10-15, at 12:00 PM, Anthony Brassac wrote:
>
> Thanks all for your replies, oAuth looks like it could do it for us,
> however it seems management had agreed upon using OpenID (research grant
> related I think), so I'll have to see what gives. Anyway, I appreciate your
> support.
>
> On Wed, Oct 14, 2009 at 1:47 AM, SitG Admin <
> sysadmin at shadowsinthegarden.com> wrote:
>
>> Users giving there passwords to RPs is what openID is trying to prevent.
>>> That is why passwords are not supported in the redirect.
>>>
>>
>> Hmm . . . minor clarification here, though: users giving passwords *their
>> passwords for the OP* (or otherwise transmitting "in the clear") is not
>> compatible with OpenID.
>>
>> If the RP wants to ask for another password (one local to that system),
>> e.g. for rarely invoked high levels of access, it *might* be compatible with
>> OpenID (depends on the exact use, but isn't automatically NOT compatible).
>>
>> The description Anthony gave sounds vaguely like Kerberos (from the MIT
>> dialogue), but my mind is stuffed full of other things right now and I get a
>> bit of a headache just getting some meaning out of roughly half of it (the
>> rest seems beyond me tonight).
>>
>> -Shade
>>
>> _______________________________________________
>> security mailing list
>> security at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-security
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091019/640b82ec/attachment.htm>
More information about the security
mailing list