OpenID Auth for agents and "bots"

Martin Atkins mart at degeneration.co.uk
Sun Aug 6 22:26:45 UTC 2006


Recordon, David wrote:
> Awesome, I've also been thinking a lot about something like this.  What Brad and I had discussed was being able to do this via Basic and Digest HTTP Auth.  Thus a client that supports these modes already, browser, feed reader, svn, etc wouldn't have to change; rather only changes would be required on the server side.  Then for many of these apps, writing mod_auth_openid for Apache would handle the code needed on the server.
>  
> It would look very much like what you wrote up, though throw the identifier in the username and the signature into the password field.  Then use check_authentication to verify it.
>  
> Have you thought at all about that approach?
>  

I suppose that could work. I'm not really sure I understand the 
advantage, though. Most clients are going to ask the user for a username 
and password in response to a Basic or Digest challenge. Do you expect 
the user to compute the signature manually and put it in? :)

Also, this makes it more difficult (though admittedly not incredibly so) 
to allow Basic, Digest and OpenID auth on the same URL.

I guess the main advantage is that existing HTTP client libraries could 
be used, but since it would be pretty trivial to add that support as a 
wrapper, and in this situation we're talking about development libraries 
  rather than end-user apps, I don't think the "quick and dirty" 
solution is necessary and we can afford to do it properly (for some 
value of "properly".)

Just my opinion, though!



More information about the yadis mailing list