Supporting Authentication Discovery in a Standard Way


Image from Wikipedia

I'm sitting in a session at Internet Identity Workshop that is discussing what standardized support browsers could provide to all authentication systems. Right now all browsers support one: Username/Password over HTTP Authentication. Authentication's come a long way since 1993.

Dick Hardt of Sxipper made the observation that users view what's "inside the chrome" as the application. The browser chrome is largely ignored. That seems right to me.

Authentication systems like basic form-based, openid, and information cards are all existing without explicit browser support. Forms have password fields, but that's just so that the browser blanks out the characters. Beyond that you're on your own.

This kind of discussion is a good example of how far the Internet identity discussion has come. When you get to the point of talking about getting these protocols "understood" in HTTP in the same way as BasicAuth, you're getting past the plumbing issues that have been part of the ID discussion for the past 3 years.

Ultimately this is about taking the discovery process that started wit YADIS and XRDS to the next level and letting it work across even more protocols.

Once the discovery protocol is decided upon, standard plugins could be written for Firefox, IE, Chrome, and Safari that would implement the discovery process for identity enable the browser for whatever identity system(s) the relying party supports. Four open source, community supported plugins could replace the myriad proprietary plugins available today. That would lead to greater penetration and also give browser manufacturers something to code against when the time comes that they want to build the discovery code into their product.