OpenID Auth for agents and "bots"

Thomas Broyer t.broyer at
Sun Aug 6 19:04:29 UTC 2006

2006/8/6, Martin Atkins:
> I've posted on the OpenID Wiki a simple proposal for doing OpenID auth
> using normal HTTP authentication. This is intended as a solution for
> non-human agents and bots to authenticate themselves more easily.
>      <>

It loks like this: ;-)

> Note that this is not meant to address authentication of human users in
> non-browser apps, though I have included this as a possible extension in
> the notes at the end of the page.

I made a simple browser-based implementation (based on the basic
python sample for the server-side, and as a Firefox extension for the
client-side) and it seemed to work!

On the client-side, IIRC (I've coded that months ago ;-) ), the
firefox extension opens the OpenID identity provider "screen"
(assoc_immediate) in a popup window and catches redirections to the
return_to URL to close the window and send the appropriate
Authorization HTTP-header to the relying party on the "main" browser

> Please let me know what you think.

Per RFC2617, a WWW-Authenticate must have a "realm" parameter,
otherwise, looks good.

As for the "Relying parties can be allowed to include the
WWW-Authenticate: OpenID header in a 200 OK response to facilitate
this", that's basically a need outside the scope of OpenID. It'd be
real cool if HTTP-Auth (RFC2616/RFC2617) could work without the need
for 401 (Non Authorized) responses. The main problem here is caching…

Thomas Broyer

More information about the yadis mailing list