Non-browser Identity Verification
mart at degeneration.co.uk
Wed May 18 12:36:39 PDT 2005
Brad Fitzpatrick wrote:
> With the local webserver hack, I'm not willing to extend the
> otherwise-simple protocol for some weird case.
> No identity servers will support the weird case, and therefore all the
> consumer desktop apps that want to work with OpenID will do the local
> webserver hack anyway, perpetuating the demise of your "raw" mode.
My proposal was in two parts, really:
* A more general protocol that doesn't do weird stuff to exploit the way
* Machine-readable authentication.
Clients shouldn't have to embed or otherwise use a browser to do the
authentication step. I'm willing to concede that having two protocol
encodings is a little superflous, but I do think that there should be a
way to force authentication by HTTP auth similar to LiveJournal's
The local web server approach will never work because no-one with any
sense allows arbitrary incoming connections from the Internet. Some
people explicitly block it, others just use some wacky NAT setup. Your
first proposal of sending a garbage return URL was better, and was in
fact how I was doing it when I was experimenting before making my proposal.
The silly thing is that the browser mode is really the special case.
Cookies. Of course I realise in practice that everyone's too
short-sighted to think about a future world where we will use something
other than today's browsers.
More information about the yadis