<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Anthony - <br>
<br>
In OAuth, the user authenticates with a web browser at the user's
Service Provider, almost always by typing in their password into a form
hosted by the SP.<br>
<br>
After the user authenticates with the SP, the SP then redirects the
user's browser to the Consumer (another website) with a response.
Behind the scenes, the Consumer then makes a web service call back to
the SP to get an OAuth Access Token, which is the credential that the
Consumer can use in lieu of the password.<br>
<br>
After all is said and done, the user's web browser is at the Consumer's
website, and the Consumer has an OAuth credential that can access the
user's data at the Service Provider.<br>
<br>
Based on your description, it sounds like you want a way for a user to
pass a credential from an Identity Provider (the OAuth SP) to another
website (Aka the Relying Party or Consumer), and that's exactly what
OAuth is meant to do.<br>
<br>
Allen<br>
<br>
<br>
<br>
Anthony Brassac wrote:
<blockquote
cite="mid:581e985d0910191013y223f48c6je0a6ccd8205af23@mail.gmail.com"
type="cite">I see, what's unfortunate is that openId was perfect for
the needs of our web application. Unfortunately it won't meet the
requirements of our web service, so we may actually choose to write our
own system now (seeing as how even oAuth needs manual logging in at
some point too). Though I'm surprised that we seem to be the only ones
with this problem, is that a technical challenge to make openId more
web service friendly or is that just a matter of time?<br>
<br>
<br>
<div class="gmail_quote">On Mon, Oct 19, 2009 at 11:40 AM, John
Bradley <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style="">The user needs to approve the oAuth access somehow.
It only needs to be a web browser if you want to use openID for that.
<div><br>
</div>
<div>Sorry for the bad news, but openID requires a browser at this
point. </div>
<div><br>
</div>
<div>If you are the authenticator for the account and not a third
party then there are lots of ways to solve your problem, but you will
have to stretch to claim they have any connection to openID.</div>
<div><br>
</div>
<div>John B.
<div>
<div class="h5"><br>
<div>
<div>On 2009-10-19, at 12:28 PM, Anthony Brassac wrote:</div>
<br>
<blockquote type="cite">But no matter what, even with oAuth I will
need to log in using a web browser at some point in order to get that
key/secret combination, won't i? Unless there are providers that offer
programmatic log in?<br>
<br>
I have a feeling we are going to end up having to write something
ourselves :S<br>
<br>
<br>
<div class="gmail_quote">On Thu, Oct 15, 2009 at 11:54 AM, John
Bradley <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>You can have the user authenticate to the oAuth provider
via openID if it is a condition of the grant:)
<div><br>
</div>
<div>That may be the best way to do it anyway depending on how
the app is configured.</div>
<div><br>
</div>
<div>John B.
<div>
<div><br>
<div>
<div>On 2009-10-15, at 12:00 PM, Anthony Brassac wrote:</div>
<br>
<blockquote type="cite">Thanks all for your replies, oAuth
looks like it could do it for us, however it seems management had
agreed upon using OpenID (research grant related I think), so I'll have
to see what gives. Anyway, I appreciate your support.<br>
<br>
<div class="gmail_quote">On Wed, Oct 14, 2009 at 1:47 AM,
SitG Admin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sysadmin@shadowsinthegarden.com" target="_blank">sysadmin@shadowsinthegarden.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Users
giving there passwords to RPs is what openID is trying to prevent.<br>
That is why passwords are not supported in the redirect.<br>
</blockquote>
<br>
</div>
Hmm . . . minor clarification here, though: users giving passwords
*their passwords for the OP* (or otherwise transmitting "in the clear")
is not compatible with OpenID.<br>
<br>
If the RP wants to ask for another password (one local to that system),
e.g. for rarely invoked high levels of access, it *might* be compatible
with OpenID (depends on the exact use, but isn't automatically NOT
compatible).<br>
<br>
The description Anthony gave sounds vaguely like Kerberos (from the MIT
dialogue), but my mind is stuffed full of other things right now and I
get a bit of a headache just getting some meaning out of roughly half
of it (the rest seems beyond me tonight).<br>
<br>
-Shade
<div>
<div><br>
_______________________________________________<br>
security mailing list<br>
<a moz-do-not-send="true"
href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-security"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security@lists.openid.net">security@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-security">http://lists.openid.net/mailman/listinfo/openid-security</a>
</pre>
</blockquote>
<br>
</body>
</html>