Non-browser Identity Verification
Martin Atkins
mart at degeneration.co.uk
Wed May 18 13:10:33 PDT 2005
Brad Fitzpatrick wrote:
> On Wed, 18 May 2005, Martin Atkins wrote:
>
>
>>The local web server approach will never work because no-one with any
>>sense allows arbitrary incoming connections from the Internet. Some
>>people explicitly block it, others just use some wacky NAT setup. Your
>
>
> No connection is coming from the outside!
>
Right you are. I didn't think it through properly.
This still seems like a lot more effort than it should be, and has its
own issues:
* The user will be asked to approve an assert to the localhost URL, and
clicking "Yes; forever" won't work because it'll use a different port
number each time.
* Clients still need a whole browser to display the HTML and JavaScript
crap that the identity server returns.
I have a working (if a little hacky) implementation here of a headless
(as in no browser) client which parses the Location header. The only
hole I can't fix is that I have to copy the authorize URL to my browser
and hit the "Yes" button. (I've currently got a valid LJ session cookie
hardcoded into the program, which is how it manages to get that far.)
This is all I really want to fix. It doesn't have to be HTTP auth, but I
want the server to tell my software in some way how it can authenticate
without a browser. It could just be a parameter on the "setup_url"
response for all I care. I just picked HTTP auth because someone's
already done all of the thinking for that.
>>The silly thing is that the browser mode is really the special case.
>
> That's classic Mart right there. :)
>
> That's the case I'm working to solve. Go join one of those theory working
> groups and I'll see your implementation in 10 years. This is about
> solving the common case today.
>
Perhaps so, but what we've got right now is less a protocol and more
just a hack exploiting current browser behavior. The completely pure
approach would be to change the browser to support the clean protocol,
but all I'm asking is for a little change to the hack protocol so that
software that isn't a browser can still play.
More information about the yadis
mailing list