http://trac.whitetree.org/gracie/

I wasn’t able to get it running on Fedora, but i ran out of time for it…

Probably it will not if browser is required by OpenID. Is it?
But anyway browser requirement is OK because browser is widely used/known software.

For example I have an ID card to authenticate against OpenID service and ID card software is also needed (asks for pin code). If there is no ID card software it also does not work.

How would this work with OpenID?

Taking the ssh example – I would love to type:

ssh -l https://id.mayfirst.org/jamie myserver.org

Then, the ssh client would prompt me for a password. Would I enter my password? If I did, and ssh passed it on to the ssh server, which would pass it on to Pam… then what? Is there an OpenID specification for a consumer to give the provider a password and get a response? My understanding is that the consumer has to redirect the user’s browser to the provider and the provider asks the consumer for the password. How would this work in an environment where there is no browser?

Another angle… suppose we wanted to get Horde IMP (a web-based IMAP client) to support OpenID. Horde IMP could be redesigned to to the browser redirection – so we don’t have to give Horde IMP our password at all, allowing our OpenID provider to do the verification. But then Horde IMP can’t access our email – because normally Horde IMP caches our password, sending it to our IMAP server on every request. Here’s where an OpenID pam module could step in. If Horde IMP could get a Kerberos style token from the OpenID provider and pass that on to the IMAP server, which would pass it on to Pam, which would verify that it is accurate… Is there a spec like this being discussed with OpenID?

Of course, maybe I just don’t get it and there’s a much easier or simpler way to do this.

Thoughts are welcome.