Non-browser OpenID and OAuth
how do we deal with openid + oauth without a web browser?
in mobile, other places it's impossible to login with openid...
direct auth is common...
1. answer is that we're not interested 2. this is the widget case but without a web browser...
what does the user have if not a web browser? cell phone... phone number... tv... set-top boxes...
auth for the openid provider?
Surrogate Secure Remote Password ... based on SRP
AOL has a client logon solution similar to SRP... session is tied to login session
george fletcher says
jsmarr: there should be a way to login to RP by entering username that you'd end up at openid
some of this could be done with a super-hard-to-guess URL
people like to push username/password flow through web browser to avoid abuse rather than put into a client app...
identity providers could list number of other users/friends who have authorized an app a la facebook
jsmarr suggests that tokens should be made long term and made as useful as passwords to disencentivise the storing passwords locally.
it always comes down to the what the user trusts...
how much of the time can you get away with web browsers? and in the cases where we don't have that, what should we do?