OpenID authentication from an installed applicatio

2019-02-24 14:53发布

问题:

I'm currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would really like to make use of the OpenID authentication. In case of regular web browser things are pretty straightforward. However, I am really not sure about installed applications (such as j2me client installed on a mobile device) - regular OpenID authentication is performed by entering username/password on a webpage of particular OpenID provider - which is quite a limitation :)

Has anyone coped with such a situation? Is it possible to create authentication mechanism to the site that uses OpenID from a mobile j2me client?

Currently, I think of solution that users who would like to connect from their mobiles download necessary j2me application from the server web site after they have authenticated themselves (regular browser authentication). The mobile client app could be assembled dynamically on the server with the SSL certificate embedded that is associated with particular logged in OpenID user. After that, j2me client could authenticate to the server without entering any username/password. The data that is going to be stored on the server is not THAT sensitive - considering cases of mobile phone thefts etc.

Can anybody come up with a better solution?

回答1:

The best solution IMO for what you're doing is to use OAuth combined with OpenID. You're use of OpenID at the RP is fine. But for installed applications that need access to that web site, they should use OAuth to get authorized. The flow would work like this:

  1. User installs app on their device
  2. During install or on first launch, the app has an "Authorize me" button.
  3. The user presses the button and a web browser pops up the web site that the client app needs to access data from.
  4. User logs into that site using their OpenID
  5. Site now asks "do you want to authorize client app X?"
  6. User says yes and closes the browser.
  7. The client app reappears and says "thanks." and now has the OAuth token necessary to access the user's data without the user ever logging in again.