Non-browser Identity Verification

[Martin Atkins]

Brad Fitzpatrick wrote:
> With the local webserver hack, I'm not willing to extend the
> otherwise-simple protocol for some weird case.
> 
> No identity servers will support the weird case, and therefore all the
> consumer desktop apps that want to work with OpenID will do the local
> webserver hack anyway, perpetuating the demise of your "raw" mode.
> 

My proposal was in two parts, really:
* A more general protocol that doesn't do weird stuff to exploit the way 
browsers work.
* Machine-readable authentication.

Clients shouldn't have to embed or otherwise use a browser to do the 
authentication step. I'm willing to concede that having two protocol 
encodings is a little superflous, but I do think that there should be a 
way to force authentication by HTTP auth similar to LiveJournal's 
auth=digest.

The local web server approach will never work because no-one with any 
sense allows arbitrary incoming connections from the Internet. Some 
people explicitly block it, others just use some wacky NAT setup. Your 
first proposal of sending a garbage return URL was better, and was in 
fact how I was doing it when I was experimenting before making my proposal.

The silly thing is that the browser mode is really the special case. 
Nothing else other than browsers uses IFRAMEs, Redirects, JavaScript and 
Cookies. Of course I realise in practice that everyone's too 
short-sighted to think about a future world where we will use something 
other than today's browsers.