OpenID For Desktop Applications: How? When?
Conference IIW8 Room/Time: 2/G
Convener: ∞ Linden
Notes-taker: Brian Eaton
Attendees:
Technology Discussed/Considered: OpenID, Oauth, Second Life
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Challenge: desktop app wants to accept OpenID login credentials, but doesn't want to a) open a web browser at all b) display web page from OpenID provider
First proposed solution: ask for username and password of OpenID provider, use some standard mechanism to send username and password to OpenID provider. OpenID provider then verifies password and returns “here is their identity.”
Objections:
- doesn't work if IdP doesn't use usernames and passwords
- messes with the OpenID ceremony (no URL in browser bar, users won't feel safe).
- OpenID providers don't like it when other people scrape usernames and passwords.
Does worse in some usability studies, because users with password managers might have forgotten their password at the IdP.
Next proposed solution: use OpenID + Oauth.
First use of application: user downloads application from www.secondlife.com. SecondLife redirects user to OpenID IdP. IdP asks user to confirm login, then returns user to secondlife.com.
When application starts up, it starts the Oauth dance with secondlife.com, then opens browser to secondlife.com. User already has secondlife.com cookie, so there is no redirect to OpenId IDP. User is then asked to confirm that they want the secondlife application on their computer to access their secondlife data. User says yes.
Application gets Oauth token, uses it to pull data necessary for application to run.
Next use of application: token is saved on computer, so no browser window necessary. Things just work.
Edge case: user needs to switch IDs in desktop application, or application state is lost (user switches computers). Solution is to start Oauth dance, then open browser window to secondlife.com. Secondlife.com redirects user to OpenID IdP.
IdP prompts user to login, then redirects to secondlife.com.
Secondlife.com asks the user to confirm application access (the Oauth ceremony).
Browser window closes, desktop application gets Oauth token and uses it to fetch user data.
Problem: if someone becomes an OpenID RP, and then the IdP becomes malicious/attempts to put the RP out of business, how can the RP recover?
Option 1: signed contracts between IdPs and Rps
Option 2: RP asks for e-mail address, so if they don't like the IdP they can put the user through a password reset process.