Hi Anders,

There has been some work on this important issue, though it seems to have been 
dormant for a while.

There seem to be two proposals (by Martin Atkins) using OpenID as an HTTP 
authentication mechanism. It is suitable for non-browser, non-interactive use 
cases.

http://wiki.openid.net/OpenIDHTTPAuth

http://wiki.openid.net/OpenID_HTTP_Authentication


I really like the idea of this basic flow:
1. RP indicates it supports OpenID with WWW-Authenticate: OpenID header;
2. App interacts with the app's OP;
2. App sends OpenID authentication response to RP in Authorization header;
3. RP performs discovery;
4. RP does direct verification with OP.

App --GET xxx--> RP
  <--401  WWW-Authenticate: OpenID realm="..."--

App <----> OP   [if necessary]

App --GET xxx Authorization: OpenID <opened-auth-request-stuff>--> RP

    RP --GET <claimed_id>-->
       <--discovery XRDS/HTML--

    RP --POST ...openid.mode=check_authentication--> OP
       <--is_valid=true--

App <--200 content--


_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to