Non-interactive logins
Anders Feder
lists.anders at feder.dk
Wed Jul 16 10:18:15 UTC 2008
This looks like an interesting proposal. A 'black box' with regards to
how the application obtains assoc_handle and signature from the OP
remains, but it looks like a step in the right direction.
What remains to be done to elevate this proposal this to standard?
ons, 16 07 2008 kl. 15:09 +1000, skrev Manger, James H:
> Hi Anders,
>
> There has been some work on this important issue, though it seems to have been dormant for a while.
>
> There seem to be two proposals (by Martin Atkins) using OpenID as an HTTP authentication mechanism. It is suitable for non-browser, non-interactive use cases.
>
> http://wiki.openid.net/OpenIDHTTPAuth
>
> http://wiki.openid.net/OpenID_HTTP_Authentication
>
>
> I really like the idea of this basic flow:
> 1. RP indicates it supports OpenID with WWW-Authenticate: OpenID header;
> 2. App interacts with the app's OP;
> 2. App sends OpenID authentication response to RP in Authorization header;
> 3. RP performs discovery;
> 4. RP does direct verification with OP.
>
> App --GET xxx--> RP
> <--401 WWW-Authenticate: OpenID realm="..."--
>
> App <----> OP [if necessary]
>
> App --GET xxx Authorization: OpenID <opened-auth-request-stuff>--> RP
>
> RP --GET <claimed_id>-->
> <--discovery XRDS/HTML--
>
> RP --POST ...openid.mode=check_authentication--> OP
> <--is_valid=true--
>
> App <--200 content--
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list