Marc Hughes

I am a developer from a bit west of Boston.

OpenID From AIR

05 Aug 2008

I've been working on some web services recently.  There's both plain old browser accessed HTML pages plus an AMF interface to them.  One feature of the HTML version is OpenID authentication.  Now OpenID is all fine and dandy for a web application, but we get some problems when we want to use an AIR desktop client to connect and authenticate through OpenID. 

          <p>If you're not familiar with how OpenID works, here's a quick summary.</p>
            <li>User goes to an application (Usually a web-app)</li>
            <li>User types in their OpenID URL to that app</li>
            <li>They get forwarded to their OpenID page where they can either grant or deny access.</li>
            <li>That page then forwards them back to the original web app with an authentication token set.</li>
          <p>Obviously, it's kind of hard to redirect back to a desktop application.&#160; I was thinking up some wacky work-a-rounds for this but then it hit me. </p>
          <p>In the AIR app I can just use the HTML component and point it towards the login form of the web services.&#160; The user can then log in using either username/password or OpenID just like they do on the website.&#160; Now, here's the cool part...&#160; The AIR HTML component shares a network stack with the AIR/Flex NetConnection object.&#160; That means any session/cookies/whatever opened in the HTML component carry through to the remoting calls I want to make from Actionscript. So I can authenticate using a web form, but then consume BlazeDS/LiveCycleDS/AMFPHP/Red5 services using AMF over Netconnection. </p>
          <p>I did up a quick proof of concept and it works on both Windows and OSX.&#160; I was able to successfully call a remoting service that requires an authenticated session.&#160; So this was actually a much easier problem to figure out than I had feared. </p>
          <p><img height="448" src="" width="600" /></p>
          <p>Now, I'll just need to make the web page that loads after a successful login somehow indicate to the AIR app that the user is successfully logged in.&#160; I'll probably either use a tiny Flash component that signals over LocalConnection, or I'll just make the AIR app watch for when the HTML component gets to a specific URL. I'm pretty sure I can get this to be a completely seamless experience for the user.</p>
          <p>Oh, and as a bonus... the user can sign up for a new account instead of log into an existing one from &quot;within the app&quot; instead of going to an external website to do that.  </p>
          <p><br />