Authentication Protocols for Non-browser Apps
Martin Atkins
mart at degeneration.co.uk
Sat Apr 7 16:44:16 UTC 2007
Today I've re-written the HTTP Authentication bindings I previously
specified to support the use of associations rather than using dumb mode
exclusively. The new specification more closely mirrors the
browser-based OpenID Authentication protocol and wherever possible just
adapts it to go over the different transport.
<http://openid.net/wiki/index.php/OpenID_HTTP_Authentication>
That protocol alone allows a non-human agent to authenticate as itself
when acting as its own OP. This means that it is able to maintain its
own associations and can compute its own assertion signatures.
I've drafted a second protocol that would allow the above protocol to be
used for human users that use a traditional OP:
<http://openid.net/wiki/index.php/Signature_Request_Protocol>
This does unfortunately require special support from the OP. Given that
support for this protocol or another protocol like it is very important
for non-browser app authentication I'm wondering if perhaps it should be
rolled into the core OpenID Authentication 2.0 spec; as it currently
stands, it's really just a different interface to what the OP already
does, so it wouldn't be a massive extra implementation burden, though
there are some remaining issues I've outlined in that wiki page that
will certainly need to be addressed first.
More information about the specs
mailing list