This is as days pass by, by Stuart Langridge

And this is OpenID login and APIs, written , and concerning Web

Does anyone have an example of a site which:
  1. Offers OpenID login
  2. Has a remote API that allows you to log in using your OpenID rather than a username and password
How do you provide this, as a site owner? It's not clear to me that OpenID works for machines to log into things (unless I go and set my OpenID to "always allow access" and then write a screen-scraper module for my OpenID provider). This seems like something of a flaw in the OpenID concept. Hopefully I'm missing something. Update: OAuth isn't the answer here. My use-case for this is, say, a little script that allows me to post to Identi.ca. OAuth requires me (the "Consumer") to request a "Consumer Secret" and a "Consumer Key" from Identi.ca. From my reading of the OAuth spec, that's supposed to be specific to the script, not specific to the person running the script, which means that I can't open-source the script (because then everyone will know my Consumer Secret). So in order for me to write an application that uses OAuth to authenticate to a site, either I can't open source it, or everyone using the application has to apply for their own Consumer Secret and Consumer Key; at that point you might as well just set a password and not use OpenID! The OAuth spec says that "Service Providers should not use the Consumer Secret alone to verify the identity of the Consumer", and goes on to "Where possible, other factors such as IP address should be used as well", which as far as I can tell means "we like closed-source programs; if you want to open source something, then we don't know how to solve that problem, so you lose". Correct me if I'm wrong.

Comments

Jeff Waugh

Sounds like you're looking for something like OAuth? :-)

sil

Jeff: sorta. OAuth's core thing is pretty much "give some external thing access to some but not all of my identity on some particular site". It can be used for access to all my identity on a particular site (which is what I'd want were I logging in). The first draft of this post said "is OAuth the solution here?" and I took it out :)

sil

Hrm. OAuth requires the "consumer" (that's me, writing my little script to grab data) to get a "Consumer Secret" from the provider. So that's no good for open-source programs...

sil

If OAuth is the answer, then each site will have to randomly generate each user a Customer Secret and then require you to add it to your program, in the same way that you add your username and password to Twitter clients now. This doesn't seem ideal to me.

John Bäckstrand

This is pretty much like flickr_upload for linux does: it requires an "API KEY" from Flickr to be able to work. They key of course don't have to be hardcoded into the software.

http://simonwillison.net/

OAuth was designed to solve exactly this problem (by members of the OpenID community). The consumer secret is retrieved from the provider using an API call - it doesn't need to be baked in to the application and the end user doesn't need to know anything about it. All they have to do is visit a URL and click on the "let application X perform actions on my behalf" button, just like with the Flickr auth API.

sil

Simon: right, OK. Sounds a bit fiddly to set up if all you want is a fairly noddy script rather than a full-on application, but I suppose that's the way in the new world order.

You

I think Drupal 6 allows open ID based log ins. (create an account, add an open id to it and then you can use the openid to log in etc etc.

lefty

is http://openidenabled.com/files/php-openid/docs/2.0.1/OpenID/tutorial_OpenID.pkg.html helpful?

James

I'd love to comment, but christ, your comments are a dog's breakfast, lines a single word long overwriting each other so I can't read what's already been said.

sil

James: yeah, I didn't bother too much with IE support. I've now poked it so comment text isn't overlain. Still not too bothered about IE support, though.

xxx

actually, it doesn't work well on ff 2 either

Ian McKellar

I kicked up a minor fuss when OAuth was being developed over open source applications, and desktop applications in general (since it's easy to extract secrets from desktop apps - see: http://ianloic.com/2006/12/23/flickr_authentication_security/). It looks like they made the language more stupid before releasing the spec. FAIL. I need to tell those guys off more often.

So, one fairly simple approach is to make users of the web application retrieve a token from the web site when they've logged in and put that into the desktop program that will be making requests. Make it something that copies & pastes nicely and only expires when you explicitly expire it or change your password.

Erwan

I think that Ma.gnolia.com has already done some research about that. They have an API, they provide OpenID login but you can't use the API with OpenID.

Last time I talked to them about that they explained me they would have to do the trick Ian explained: have the user copy/paste some token. Because that would be an awkward experience, it wasn't super high on their priority list.

Lefty

Comments look fine in FF3, but not on my Diablo-ized N810...

Anonymous Coward

What are the differences between OpenID and Shibboleth? http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29

Rachel

I thought the post made some good points on screen scrapers, I use python for simple html screen scrapers, but for larger projects i used extractingdata.com http://www.extractingdata.com/screen%20scraper.htm which worked great, they build custom screen scrapers and data extracting programs

This website belongs to Stuart Langridge. Contact details are available. Don't eat yellow snow. Valid HTML5, at least in theory, except for the bits that aren't because I'm that futuristic that I'm ahead of the spec, oh yes. HTML5 help from Bruce Lawson, among others. Fonts from the superb FontSquirrel. End.