tags:

views:

187

answers:

2

We're using an API from a provider; in their next version, they would provide an OpenId server but mostly the users are using their desktop application. An other website we're building would be opened from this application and we supposedly would connect with openid to access the resources stored in this provider.

Still I don't understand how this would work if user is already authenticated with the desktop, will they have to authenticate an other time ? What happens if they close their browser and reopen it, will they have to to do it again ?

+1  A: 

I think the answer is "it depends." For the close-and-reopened browser question, it depends on whether your sites use session cookies or persistent cookies to authenticate requests.

But as for the authenticate-with-desktop-client-and-then-open-a-browser, you'd have to ask the provider for more details. I can imagine ways to do it that would have either outcome.

keturn
+1  A: 

OpenID and desktop apps are totally completely and altogether incompatible. You cannot secure a desktop app using OpenID.

Look at OAuth. It can work with or without OpenID, but OAuth is all about authorizing apps including desktop apps to access network resources.

Andrew Arnott