Non-browser Identity Verification
mart at degeneration.co.uk
Wed May 18 02:24:56 PDT 2005
The current scheme is (as far as I can see) bound to the browser. If
this is to become some amazing used-everywhere identity system, I think
it's important to support non-browser-based auth too. I suspect it might
already be supported in some sense, but let's think about it a little
An example of the kind of scenario I have in mind is a local application
which will ultimately be submitting something to a server with an OpenID
identity attached. For the sake of example, let's say that we're
submitting some changes to MusicBrainz (<http://www.musicbrainz.org/>)
from our media player, which is not a browser. In my hypothetical
example world, MusicBrainz now allows OpenID identities to make changes
without having to create a MusicBrainz account, and changes can be made
both from the browser interface and through an API.
Of course, the system as currently designed relies on some token (which
is probably a cookie) going to the identity server. If it's all
happening server-side, this won't happen, so there still needs to be a
client-side step where the user dances off to their identity server,
proves they are the correct person by logging in, and thus approves the
transaction. The client will be doing HTTP behind the scenes, but has no
browser interface. It also probably won't have access to the browser's
Cookies. What are the options here?
An obvious enhancement that springs to mind is to have the identity
server request HTTP auth if it cannot identify the user by the included
cookies. Since HTTP auth is machine-understandable, a client could then
provide an interface to enter the relevant auth details and then
everything else proceeds as normal.
Assuming I'm not missing something (which is possible, since I've not
actually made any practical use of Yadis yet) once the authentication is
complete the rest of the process can proceed as normal and the client
can retain the digest to be submitted to the server later. In my
modified scenario, the client application takes the role of the client
and most of the helper, but the actual server behind the scenes will
eventually do the key validation stuff before committing the changes.
Does this sound sensible, or have I missed an important detail?
As ever, alternative approaches are welcomed.
More information about the yadis