Noodling on OpenID and subauthorizatoin
meepbear at hotmail.com
Sun Jun 26 04:59:02 PDT 2005
Wouldn't a token based system make more sense? The protocol wouldn't need
much of a change for that to work.
When the user agent gets redirected to the openid server
(mode=checkid_immediate) upon passing authentication it returns an extra
openid.token parameter that can be used for impersonation purposes (but it
only includes it for consumers that have been specifically authorized by you
to impersonate you).
In your example, you would ID yourself to the aggregator and it receives a
token from your openid server. When it contacts livejournal, it passes it
your openid URL and the token. The livejournal openid server then contacts
your openid server to validate the token and if it's authentic then
livejournal would know that the aggregator is acting on your behalf and
allows it the same kind of access that it would allow you.
It has both the advantage of 'server subauthorization' that you manage all
of your permissions on the server side and the advantage of consumer
subauthorization that no new file format is needed, everything would happen
It shouldn't matter to livejournal who the consumer is or what it's trying
to do. If it has a valid token then that's proof that you authorized it to
act on your behalf.
However it can still decide what actions it will allow a token to perform on
your behalf and which actions require "direct involvement". (An imaginary
situation for illustrative purposes only: reading friends' entries is
allowed either interactively or through the token, but commenting requires
More information about the yadis