Non-browser Identity Verification

Martin Atkins mart at degeneration.co.uk
Wed May 18 13:10:33 PDT 2005


Brad Fitzpatrick wrote:
> On Wed, 18 May 2005, Martin Atkins wrote:
> 
> 
>>The local web server approach will never work because no-one with any
>>sense allows arbitrary incoming connections from the Internet. Some
>>people explicitly block it, others just use some wacky NAT setup. Your
> 
> 
> No connection is coming from the outside!
> 

Right you are. I didn't think it through properly.

This still seems like a lot more effort than it should be, and has its 
own issues:
* The user will be asked to approve an assert to the localhost URL, and 
clicking "Yes; forever" won't work because it'll use a different port 
number each time.
* Clients still need a whole browser to display the HTML and JavaScript 
crap that the identity server returns.

I have a working (if a little hacky) implementation here of a headless 
(as in no browser) client which parses the Location header. The only 
hole I can't fix is that I have to copy the authorize URL to my browser 
and hit the "Yes" button. (I've currently got a valid LJ session cookie 
hardcoded into the program, which is how it manages to get that far.)

This is all I really want to fix. It doesn't have to be HTTP auth, but I 
want the server to tell my software in some way how it can authenticate 
without a browser. It could just be a parameter on the "setup_url" 
response for all I care. I just picked HTTP auth because someone's 
already done all of the thinking for that.

>>The silly thing is that the browser mode is really the special case.
> 
> That's classic Mart right there.  :)
> 
> That's the case I'm working to solve.  Go join one of those theory working
> groups and I'll see your implementation in 10 years.  This is about
> solving the common case today.
> 

Perhaps so, but what we've got right now is less a protocol and more 
just a hack exploiting current browser behavior. The completely pure 
approach would be to change the browser to support the clean protocol, 
but all I'm asking is for a little change to the hack protocol so that 
software that isn't a browser can still play.



More information about the yadis mailing list