Non-browser Identity Verification
evan.martin at gmail.com
Wed May 18 15:42:45 PDT 2005
On 5/18/05, Brad Fitzpatrick <brad at danga.com> wrote:
> Okay, I think I hear you now. Not all client apps (consumers) will use an
> HTTP library that uses the "system's" cookies, which is unreliable anyway,
> since what browser is the system one? But you're still going to invoke
> their default browser anyway, right, to send them to their homesite to do
> their auth? Otherwise they're giving their password to the consumer app,
> which is scary.
> So shit, the local webserver actually is sounding nice.
They've already given their password-equivalent to an app running on
the same system: their web browser. Can Mozilla somehow protect
~/.mozilla/firefox/profile/cookies.txt from being read by an external
application? I don't buy this.
I agree with the concern that too much implementation here will
needlessly complicate things, but designing a reasonable client API is
crucial if you intend for the service to be useful beyond browsers.
More information about the yadis