Shared Authentication between SAAS/Cloud web application and Desktop application

Question

A simple scenario:

Let's say we have a Web Application up in the cloud that let users sign up using OpenID. (I'm open to use Windows Live ID as alternative) They can log in and update some meta data, for example what their favorite color is.

If I now want to get this information from a desktop client, how do I do that? I will probably have to expose a Web Service in order to query this information, but how about the authentication?

There's the DotNetOpenAuth and there's the Windows Identity Foundation, and we have CardSpace etc.
But where the heck do I start? Which of them do I need? Do I need all 3?
And what about STS, is there any for OpenID / Windows Live ID?

Does anyone seen a sample using these technologies that will do what I am looking for? Any pointers?

Answer 1

Separate in your mind the concepts of authentication and authorization. You authenticate users at your web site only. You can do this with OpenID, InfoCard, STS, or username+password. Client apps that call your service for user-specific information must be authorized, which traditionally means they ask the user for their username+password, which is an anti-pattern, and breaks down when you use stronger or alternative credentials such as OpenID or InfoCard, as you're seeing.

Authorizing the app should use a delegation protocol such as OAuth, which allows the user to visit a web page that allows the desktop app to access the user's private data, without the user ever exposing their credentials to the app.

DotNetOpenAuth supports this full scenario. It comes with sample OAuth and OpenID sites. I recommend you check out either of the project templates which demonstrate OpenID login (and the web forms one even includes InfoCard login as an option) and also OAuth Service Provider, making it work for both web users and authorizing these client apps right out of the box.