从安装的应用程序的OpenID认证 [英] OpenID authentication from an installed application

问题描述

目前，我正在策划一个新的Web项目。客户端会使用常规的Web浏览器和连接，在常规的Java功能的手机，J2ME客户案​​例。我真的想利用OpenID身份验证的。在常规的网络的情况下，浏览器的东西是pretty简单。不过，我真的不知道安装的应用程序（如安装在移动设备上的J2ME客户端） - 定期OpenID身份验证是通过在特定的OpenID提供商的网页，输入用户名/密码进行 - 这是一个相当的局限性：）

I'm currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would really like to make use of the OpenID authentication. In case of regular web browser things are pretty straightforward. However, I am really not sure about installed applications (such as j2me client installed on a mobile device) - regular OpenID authentication is performed by entering username/password on a webpage of particular OpenID provider - which is quite a limitation :)

有没有人应付了这种情况呢？是否有可能建立验证机制的使用OpenID从移动J2ME客户的网站？

Has anyone coped with such a situation? Is it possible to create authentication mechanism to the site that uses OpenID from a mobile j2me client?

目前，我想到的解决方案，想从他们的手机连接谁的用户从服务器下载网站后，他们已经验证自己（常规浏览器验证）必要的J2ME应用程序。移动客户端应用程序可以动态地嵌入的SSL证书是与在OpenID的用户特定记录的相关联的服务器上进行组装。在此之后，J2ME客户端可以验证到服务器，而无需输入任何用户名/密码。这将被存储在服务器上的数据不敏感 - 考虑手机盗窃案件等。

Currently, I think of solution that users who would like to connect from their mobiles download necessary j2me application from the server web site after they have authenticated themselves (regular browser authentication). The mobile client app could be assembled dynamically on the server with the SSL certificate embedded that is associated with particular logged in OpenID user. After that, j2me client could authenticate to the server without entering any username/password. The data that is going to be stored on the server is not THAT sensitive - considering cases of mobile phone thefts etc.

任何人都可以想出一个更好的解决方案？

Can anybody come up with a better solution?

推荐答案

海事组织你在做什么，最好的解决办法是使用OAuth使用OpenID相结合。你使用的OpenID的RP是罚款。但对于需要访问该网站安装的应用程序，他们应该使用OAuth获得授权。该流程的工作是这样的：

The best solution IMO for what you're doing is to use OAuth combined with OpenID. You're use of OpenID at the RP is fine. But for installed applications that need access to that web site, they should use OAuth to get authorized. The flow would work like this:

1. 用户安装的应用程序在他们的设备


2. 在安装过程中或首次启动时，应用程序有一个授权我按钮。


3. 用户presses按钮和网络浏览器会弹出该客户端应用程序需要从访问数据的网站。


4. 用户登录到使用其OpenID
该网站

5. 网站现在问：你要授权客户端X程序？


6. 用户说是，并关闭浏览器。


7. 的客户端应用程序再次出现，并说谢谢。现在有必要OAuth令牌访问用户的数据，而无需用户以后再登录。

这篇关于从安装的应用程序的OpenID认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！