Noodling on OpenID and subauthorizatoin

meepbear * meepbear at
Sun Jun 26 04:59:02 PDT 2005

Wouldn't a token based system make more sense? The protocol wouldn't need 
much of a change for that to work.

When the user agent gets redirected to the openid server 
(mode=checkid_immediate) upon passing authentication it returns an extra 
openid.token parameter that can be used for impersonation purposes (but it 
only includes it for consumers that have been specifically authorized by you 
to impersonate you).

In your example, you would ID yourself to the aggregator and it receives a 
token from your openid server. When it contacts livejournal, it passes it 
your openid URL and the token. The livejournal openid server then contacts 
your openid server to validate the token and if it's authentic then 
livejournal would know that the aggregator is acting on your behalf and 
allows it the same kind of access that it would allow you.

It has both the advantage of 'server subauthorization' that you manage all 
of your permissions on the server side and the advantage of consumer 
subauthorization that no new file format is needed, everything would happen 

It shouldn't matter to livejournal who the consumer is or what it's trying 
to do. If it has a valid token then that's proof that you authorized it to 
act on your behalf.
However it can still decide what actions it will allow a token to perform on 
your behalf and which actions require "direct involvement". (An imaginary 
situation for illustrative purposes only: reading friends' entries is 
allowed either interactively or through the token, but commenting requires 
non-impersonated ID)

More information about the yadis mailing list