Non-browser OpenID and OAuth

From IIW

how do we deal with openid + oauth without a web browser?

in mobile, other places it's impossible to login with openid...

direct auth is common...

1. answer is that we're not interested 2. this is the widget case but without a web browser...

what does the user have if not a web browser? cell phone... phone number... tv... set-top boxes...

auth for the openid provider?

Surrogate Secure Remote Password ... based on SRP

AOL has a client logon solution similar to SRP... session is tied to login session

george fletcher says

jsmarr: there should be a way to login to RP by entering username that you'd end up at openid

some of this could be done with a super-hard-to-guess URL

people like to push username/password flow through web browser to avoid abuse rather than put into a client app...

identity providers could list number of other users/friends who have authorized an app a la facebook

jsmarr suggests that tokens should be made long term and made as useful as passwords to disencentivise the storing passwords locally.


it always comes down to the what the user trusts...

how much of the time can you get away with web browsers? and in the cases where we don't have that, what should we do?