OpenID login and APIs

Does anyone have an example of a site which:

  1. Offers OpenID login
  2. Has a remote API that allows you to log in using your OpenID rather than a username and password

How do you provide this, as a site owner? It’s not clear to me that OpenID works for machines to log into things (unless I go and set my OpenID to “always allow access” and then write a screen-scraper module for my OpenID provider). This seems like something of a flaw in the OpenID concept. Hopefully I’m missing something. Update: OAuth isn’t the answer here. My use-case for this is, say, a little script that allows me to post to Identi.ca. OAuth requires me (the “Consumer”) to request a “Consumer Secret” and a “Consumer Key” from Identi.ca. From my reading of the OAuth spec, that’s supposed to be specific to the script, not specific to the person running the script, which means that I can’t open-source the script (because then everyone will know my Consumer Secret). So in order for me to write an application that uses OAuth to authenticate to a site, either I can’t open source it, or everyone using the application has to apply for their own Consumer Secret and Consumer Key; at that point you might as well just set a password and not use OpenID! The OAuth spec says that “Service Providers should not use the Consumer Secret alone to verify the identity of the Consumer“, and goes on to “Where possible, other factors such as IP address should be used as well“, which as far as I can tell means “we like closed-source programs; if you want to open source something, then we don’t know how to solve that problem, so you lose”. Correct me if I’m wrong.

More in the discussion (powered by webmentions)

  • (no mentions, yet.)