Monday, April 2, 2007

Smart Client authentication with Open ID

One of the things that has become an issue with me is the limited support for non-browser authentication with Open ID. I like the technology, but in my case i needed to use it in a smart client and it isn't easily extended to that scenario. I think this is a current limitation in Open ID and not sure whether it will ever be considered. However, i decided to do some work to demonstrate how this could be useful and how it could even be implemented currently. This isn't necessarily a demonstration of a finished and well architected concept, but more an illustration of what can be done.

To demonstrate, consider a simple application that shows you an article. Note it shows summary data and there is a log in button.



















When the log in button is clicked, a window pops up with a browser embedded and takes you to a log in page, where you enter your open id and click the log in button. This actually passed a GUID which is associated with the Session of the user on IIS.












Now, you are taken to the log in page of your identity provider - in my case Verisign, where you authenticate as usual.













You choose what you want to allow and how long for and click "allow".














When this is done, you are redirected to a log in page, which gets the data you have been provided with and adds it to the Application cache associated with the GUID you passed in earlier and the window is closed. It it given a time window of 60 seconds before the data is removed from the cache.















When the login Window closes, the article reader is refreshed to indicate you are logged in and displays some data according to your profile settings. This uses the client GUID and makes a web service call which pulls out the profile information associated with that GUID and returns it. The data on the server is immediately destroyed.



















The code is by no means finished and a full solution, so i will tidy it up and release it at some point today - perhaps over at the dotnetopenid group at google whose excellent work was the basis of this sample.

Hopefully it can get some thoughts ticking as "it can't be done" isn't really an option for me and now that i have shown it can in fact be done it's maybe worth considering how it can be improved.

No comments: