OpenID authentication from an installed application

Question

I\'m currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would re

Answer 1

The best solution IMO for what you're doing is to use OAuth combined with OpenID. You're use of OpenID at the RP is fine. But for installed applications that need access to that web site, they should use OAuth to get authorized. The flow would work like this:

1. User installs app on their device
2. During install or on first launch, the app has an "Authorize me" button.
3. The user presses the button and a web browser pops up the web site that the client app needs to access data from.
4. User logs into that site using their OpenID
5. Site now asks "do you want to authorize client app X?"
6. User says yes and closes the browser.
7. The client app reappears and says "thanks." and now has the OAuth token necessary to access the user's data without the user ever logging in again.