OpenId withouth http redirects?

I want to use one of the centralized authentication systems such as OpenId, Google or Facebook authentication systems. However I have found that all of them use HTTP redirects to the correspondent server for the sign-up part of the process.

My problem with this is that for my system we want to provide different clients, some of them stand-alone applications, and therefore the HTTP redirect strategy won't wo开发者_JAVA百科rk unless I implement a mini-browser(or something similar) in my client.

It is possible to do this federated authentication in a programmatic way?

Thanks,

Gustavo.

The trust and security of these systems relies on the browser. As a user, I only enter my credentials if the browsers tells me I am connected to my provider: by indicating a secure connection and by showing an anti-phishing seal.

You could ask me for my credentials in your application or on your website and conduct the entire authentication session on my behalf, but why would I give them to you? You could show an embedded browser in your application or an iframe on your website, but why would I trust you not to capture my credentials?

And then there is convenience: my browser has a cookie from my provider so I don't even need to enter credentials most of the time.

I think the best approach for a stand-alone application is to establish a session with your application server and then to launch a browser taking the user to your web server with the session identifier to authenticate that session. Then tell them that authentication is complete and they may return to the application. With cookies or stored passwords it will be faster than entering credentials into your application anyway.

Building on what @aaz has suggested, depending on how exposed your application is to the Internet, you could construct an HttpListener and have the return_to URL point to your listener. Not likely to work behind firewalls, though.