Using OpenID with WCF and no browser, is it possible?

Question

From most of the reading I've done on OpenID, it seems a browser may be required. I'm writing a WCF app and wanted to use OpenID as the authentication method, but my app is not a web app. Is it possible to use WCF and OpenID together without requiring a web browser?

Answer 1

While OpenID can tout in its spec independence from cookies and such because the spec doesn't actually mandate how those things are used, in reality I've never seen a good OpenID solution for anything besides logging into a web site, which is really its primary use case.

However there is a good way to go and still use WCF and OpenID. Add OAuth to the mix. The DotNetOpenAuth library has a sample that shows how a WCF client can get authorized to call a WCF service via OAuth, where at the service-side the user uses OpenID to log in as part of the authorization process.

So basically if you WCF app needs to "log in" in order to call the WCF service, as part of a one-time setup:

1. The app pops up a browser where the user sees the WCF service web site (the OAuth Service Provider)
2. The user logs in with their OpenID (although the user may already be logged in, in which case they can skip this step)
3. The OAuth SP asks the user "do you want to authorize this [wcf app] to access this site?"
4. The user says yes, and closes the browser.
5. The WCF app now has access, thanks to the OAuth protocol, to the WCF service.

This works because behind the scenes, when the user says "yes" to the service through the web browser, a special machine-friendly credential is assigned to the WCF app, which it uses with every WCF service call the a similar way a username/password would be.

Check out the DotNetOpenAuth library. It has the sample and everything you should need to get this working.

Answer 2

From reading the OpenID Authentication 2.0 Specification, I seem to have arrived at an answer:

While nothing in the protocol requires JavaScript or modern browsers, the authentication scheme plays nicely with "AJAX"-style setups. This means an end user can prove their Identity to a Relying Party without having to leave their current Web page.

OpenID Authentication uses only standard HTTP(S) requests and responses, so it does not require any special capabilities of the User-Agent or other client software. OpenID is not tied to the use of cookies or any other specific mechanism of Relying Party or OpenID Provider session management. Extensions to User-Agents can simplify the end user interaction, though are not required to utilize the protocol.

Now I just need to figure out a clever way to get it to work with a WCF-based relying party...