Using OpenID in Standalone Application

Question

Currently, I am using Google Account Verification in my standalone application.

public static boolean isValidAccount(String email, String password) {
    if (email == null || password == null) {
        return false;
    }

    try {
        // URL of target page script.
        final URL url = new URL("https://www.google.com/accounts/ClientLogin");
        final URLConnection urlConn = url.openConnection();
        urlConn.setDoInput(true);
        urlConn.setDoOutput(true);
        urlConn.setUseCaches(false);
        urlConn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        // Send POST output.
        final DataOutputStream cgiInput = new DataOutputStream(urlConn.getOutputStream());
        // http://code.google.com/apis/base/faq_gdata.html#clientlogin
        String content = "accountType=" + URLEncoder.encode("HOSTED_OR_GOOGLE") + "&Email=" + URLEncoder.encode(email) + "&Passwd=" + URLEncoder.encode(password) + "&service=" + URLEncoder.encode("mail") + "&source=" + URLEncoder.encode("JStock-1.05b");

        cgiInput.writeBytes(content);
        cgiInput.flush();
        cgiInput.close();
        if (urlConn instanceof HttpURLConnection) {
            // 200 means OK. You OK. I OK. Google OK.
            return ((HttpURLConnection) urlConn).getResponseCode() == 200;
        }
        else {
            return false;
        }
    } catch (MalformedURLException ex) {
        Logger.getLogger(UploadServlet.class.getName()).log(Level.SEVERE, null, ex);
    }
    catch (IOException ex) {
        Logger.getLogger(UploadServlet.class.getName()).log(Level.SEVERE, null, ex);
    }
    return false;
}

May I know is it possible, that I can apply the similar concept on OpenID. I saw there are many web application example using OpenID. However, I haven't seen one in standalone application.

Is it possible to do so?

Answer 1

Since you're essentially pretending to be a browser and performing HTTP requests, you should be able to easily duplicate an OpenID setup.

Just look at what HTTP requests the web apps do, and replicate that using the same method you posted here, by using an HTTPUrlConnection.

However, one thing I feel I need to mention. Since you're not using HTTPS, anyone on your network could be sniffing username and passwords. You should perform all authentication and authorizations over a secure channel.

Answer 2

OpenID doesn't say anything about what happens while the user is authenticating to their provider. It could be a username/password, it could be a cookie, it could be an SSL certificate, it could be a retinal scan.

Your best bet may be opening a web browser widget and asking the user to authenticate in the normal OpenID style (but you'd have to figure out what to do for lack of a web server).

Answer 3

May I know is it possible, that I can apply the similar concept on OpenID. I saw there are many web application example using OpenID. However, I haven't seen one in standalone application.

The OpenID provider you used is just a webservice provided by Google. You can create a webservice yourself as well using a simple servlet and a database hosted online somewhere.

Answer 4

May I know is it possible, that I can apply the similar concept on OpenID. I saw there are many web application example using OpenID. However, I haven't seen one in standalone application.

Maybe because it doesn't make much sense for a standalone application to use something that rely heavily on web paradigms and HTTP. Amongst other things, how are you going to redirect a user to its OpenID provider? What about the authentication response (that should come in as a HTTP request from the OpenID provider)? How to deal with that?

So, no, I don't think you can/should use OpenID for your desktop application (not even mentioning that, if not connected to the web, users wouldn't be able to authenticated but that's another story).