Hi Anders,

There has been some work on this important issue, though it seems to have been 
dormant for a while.

There seem to be two proposals (by Martin Atkins) using OpenID as an HTTP 
authentication mechanism. It is suitable for non-browser, non-interactive use 



I really like the idea of this basic flow:
1. RP indicates it supports OpenID with WWW-Authenticate: OpenID header;
2. App interacts with the app's OP;
2. App sends OpenID authentication response to RP in Authorization header;
3. RP performs discovery;
4. RP does direct verification with OP.

App --GET xxx--> RP
  <--401  WWW-Authenticate: OpenID realm="..."--

App <----> OP   [if necessary]

App --GET xxx Authorization: OpenID <opened-auth-request-stuff>--> RP

    RP --GET <claimed_id>-->
       <--discovery XRDS/HTML--

    RP --POST ...openid.mode=check_authentication--> OP

App <--200 content--

specs mailing list

Reply via email to