This looks like an interesting proposal. A 'black box' with regards to how the application obtains assoc_handle and signature from the OP remains, but it looks like a step in the right direction.
What remains to be done to elevate this proposal this to standard? ons, 16 07 2008 kl. 15:09 +1000, skrev Manger, James H: > Hi Anders, > > There has been some work on this important issue, though it seems to have > been dormant for a while. > > There seem to be two proposals (by Martin Atkins) using OpenID as an HTTP > authentication mechanism. It is suitable for non-browser, non-interactive use > cases. > > http://wiki.openid.net/OpenIDHTTPAuth > > http://wiki.openid.net/OpenID_HTTP_Authentication > > > I really like the idea of this basic flow: > 1. RP indicates it supports OpenID with WWW-Authenticate: OpenID header; > 2. App interacts with the app's OP; > 2. App sends OpenID authentication response to RP in Authorization header; > 3. RP performs discovery; > 4. RP does direct verification with OP. > > App --GET xxx--> RP > <--401 WWW-Authenticate: OpenID realm="..."-- > > App <----> OP [if necessary] > > App --GET xxx Authorization: OpenID <opened-auth-request-stuff>--> RP > > RP --GET <claimed_id>--> > <--discovery XRDS/HTML-- > > RP --POST ...openid.mode=check_authentication--> OP > <--is_valid=true-- > > App <--200 content-- > > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
