Non-interactive logins
Hello, There have been some discussion over the years about using OpenID for non-interactive logins. Can someone kindly tell me what the status is of this feature? In particular login from non-browser applications - is this currently possible (e.g. using client certificate authentication)? Thanks. -- Anders Feder [EMAIL PROTECTED] ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Non-interactive logins
Hi Anders, You might want to check out OAuth ... it was developed for just such a situation. - Scott On Tue, Jul 15, 2008 at 4:20 AM, Anders Feder [EMAIL PROTECTED] wrote: Hello, There have been some discussion over the years about using OpenID for non-interactive logins. Can someone kindly tell me what the status is of this feature? In particular login from non-browser applications - is this currently possible (e.g. using client certificate authentication)? Thanks. -- Anders Feder [EMAIL PROTECTED] ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Non-interactive logins
If I'm not mistaken, OAuth requires the user to approve the authentication request in her browser, which is an interactive action. Joseph Holsten pointed me to Appendix A of the OAuth specification for an example. In step A.3, The Consumer redirects Jane’s browser to the Service Provider User Authorization URL to obtain Jane’s approval for accessing her private photos. Also, OAuth appears to be more about authorization (to access a remote resource) than about authentication. Is there any way to operate either OpenID or OAuth entirely non-interactively? tir, 15 07 2008 kl. 08:38 -0700, skrev Scott Kveton: Hi Anders, You might want to check out OAuth ... it was developed for just such a situation. - Scott On Tue, Jul 15, 2008 at 4:20 AM, Anders Feder [EMAIL PROTECTED] wrote: Hello, There have been some discussion over the years about using OpenID for non-interactive logins. Can someone kindly tell me what the status is of this feature? In particular login from non-browser applications - is this currently possible (e.g. using client certificate authentication)? Thanks. -- Anders Feder [EMAIL PROTECTED] ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
OpenID with Acegi Security for Springs
Hi, Has anyone integrated OpenID with Acegi security for Springs? I need help on this. Regards, Shweta DISCLAIMER: This message (including attachment if any) is confidential and may be privileged. If you have received this message by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail may contain viruses. Before opening attachments please check them for viruses and defects. While MindTree Limited (MindTree) has put in place checks to minimize the risks, MindTree will not be responsible for any viruses or defects or any forwarded attachments emanating either from within MindTree or outside. Please note that e-mails are susceptible to change and MindTree shall not be liable for any improper, untimely or incomplete transmission. MindTree reserves the right to monitor and review the content of all messages sent to or from MindTree e-mail address. Messages sent to or from this e-mail address may be stored on the MindTree e-mail system or else where. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Non-interactive logins
Anders Feder wrote: If I'm not mistaken, OAuth requires the user to approve the authentication request in her browser, which is an interactive action. This is true, but this only needs to be done when obtaining an access token, which can be used potentially forever without further interaction from the user. And of course any number of extensions could be created to obtain an access token via an alternate path, after which normal OAuth can be used. Joseph Holsten pointed me to Appendix A of the OAuth specification for an example. In step A.3, The Consumer redirects Jane’s browser to the Service Provider User Authorization URL to obtain Jane’s approval for accessing her private photos. Also, OAuth appears to be more about authorization (to access a remote resource) than about authentication. Is there any way to operate either OpenID or OAuth entirely non-interactively? tir, 15 07 2008 kl. 08:38 -0700, skrev Scott Kveton: Hi Anders, You might want to check out OAuth ... it was developed for just such a situation. - Scott On Tue, Jul 15, 2008 at 4:20 AM, Anders Feder [EMAIL PROTECTED] wrote: Hello, There have been some discussion over the years about using OpenID for non-interactive logins. Can someone kindly tell me what the status is of this feature? In particular login from non-browser applications - is this currently possible (e.g. using client certificate authentication)? Thanks. -- Anders Feder [EMAIL PROTECTED] ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Non-interactive logins
tir, 15 07 2008 kl. 21:28 -0700, skrev John Panzer: And of course any number of extensions could be created to obtain an access token via an alternate path, after which normal OAuth can be used. Sure, but isn't this equally true for OpenID? If that is the case, I would like to ask the list if anybody is interested in working towards such an extension. Joseph Holsten pointed me to Appendix A of the OAuth specification for an example. In step A.3, The Consumer redirects Jane’s browser to the Service Provider User Authorization URL to obtain Jane’s approval for accessing her private photos. Also, OAuth appears to be more about authorization (to access a remote resource) than about authentication. Is there any way to operate either OpenID or OAuth entirely non-interactively? tir, 15 07 2008 kl. 08:38 -0700, skrev Scott Kveton: Hi Anders, You might want to check out OAuth ... it was developed for just such a situation. - Scott On Tue, Jul 15, 2008 at 4:20 AM, Anders Feder [EMAIL PROTECTED] wrote: Hello, There have been some discussion over the years about using OpenID for non-interactive logins. Can someone kindly tell me what the status is of this feature? In particular login from non-browser applications - is this currently possible (e.g. using client certificate authentication)? Thanks. -- Anders Feder [EMAIL PROTECTED] ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs -- Anders Feder [EMAIL PROTECTED] ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Non-interactive logins
Hi Anders, There has been some work on this important issue, though it seems to have been dormant for a while. There seem to be two proposals (by Martin Atkins) using OpenID as an HTTP authentication mechanism. It is suitable for non-browser, non-interactive use cases. http://wiki.openid.net/OpenIDHTTPAuth http://wiki.openid.net/OpenID_HTTP_Authentication I really like the idea of this basic flow: 1. RP indicates it supports OpenID with WWW-Authenticate: OpenID header; 2. App interacts with the app's OP; 2. App sends OpenID authentication response to RP in Authorization header; 3. RP performs discovery; 4. RP does direct verification with OP. App --GET xxx-- RP --401 WWW-Authenticate: OpenID realm=...-- App OP [if necessary] App --GET xxx Authorization: OpenID opened-auth-request-stuff-- RP RP --GET claimed_id-- --discovery XRDS/HTML-- RP --POST ...openid.mode=check_authentication-- OP --is_valid=true-- App --200 content-- ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Non-interactive logins
On Wed, Jul 16, 2008 at 12:38 PM, Anders Feder [EMAIL PROTECTED] wrote: tir, 15 07 2008 kl. 21:28 -0700, skrev John Panzer: And of course any number of extensions could be created to obtain an access token via an alternate path, after which normal OAuth can be used. Sure, but isn't this equally true for OpenID? Most OpenID RPs maintain some kind of session for the user, but that is not required by the spec (some require OpenID auth to perform each action). In contrast, the whole point of OAuth is to generate an authorisation token that can be used for machine access to a site multiple times in the future. The OAuth service provider might use OpenID when deciding whether to grant an authorisation token to a client to access the site on behalf of a particular user if appropriate. James. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
