AOL OpenAuth and Atom Publishing Protocol

I'm looking to see how best to implement Atom-compatibleauthentication for AOL's OpenAuth service. The service provides ways for users to authenticate themselves and togrant permissions to services to do things such as read buddy lists onbehalf of a user.  These permissions are encapsulated in a portabletoken which can be passed around.  The primary use cases for thisinvolve pure web based AJAX applications, so making this something thata generic application can deal with isn't fully specified.

So, here are my thoughts.  Let's say the client has a token stringwhich encapsulates authentication and authorization.  They need to sendthis along with an Atom Publishing Protocol (APP) request. 

Windows Live and GData both implement custom RFC 2617 WWW-Authenticate:headerschemes.  Unfortunately they don't follow exactly the same pattern,or I'd just copy it.  But using RFC 2617 is clearly the right approachif the server can support it.  So here's a proposal:

If a client has an OpenAuth token, it sends an Authorization: header. The format looks like this:

Authorization: OpenAuth token="..."

where ... contains the base64-encoded token data (an opaque string,essentially).

When there is a problem, or the Authorization: header is missing, a401 response is returned with a WWW-Authenticate: header.

401 Need user consent
...
WWW-Authenticate: OpenAuth realm="RealmString",fault="NeedConsent",url="http://my.screenname.aol.com/blah?a=boof&b=zed&...."

where the status code contains a human readable message, and theWWW-Authenticate header contains the precise fault code -- NeedToken,NeedConsent, ExpiredToken.  If present, the urlparameter gives the URL of an HTML page which can be presented to theend user to login or grant permissions.  For example it can point to alogin page if the fault is NeedToken.  A client would then need to dothe following in response:

1. Append a "&succUrl=..." parameter to the url, telling theOpenAuth service where to go when the user successfully logs in orgrants permission. 
   
2. Open a web browser or browser widget control with the givencomposed URL, and present to the user.
3. Be prepared to handle an invocation of the succUrl with anappended token parameter, giving a new token to use for subsequentrequests.

Note that the succUrl can be a javascript: URL, or a custom scheme(e.g., aim:) if your destination client is not a web browser.  Or itcould be pointing to a local web server(http://localhost:1080/openauthcallback.cgi) or perhaps other schemesto get the token from point A to point B.  Whatever method is chosen,eventually the client will receive an OpenAuth token that it can use totry (or re-try) the Atom request.

As a wrinkle, to enhance autodiscovery, perhaps we should allow an"Authorization: OpenAuth" header with no token on any request(including HEAD).  The server could then respond with a 401 andfault="NeedToken", telling the client what URL to use for loginauthentication.  The interesting thing about this is that the protocolis then truly not tied to any particular authentication service --anyone who implements this fairly simple protocol with opaque tokenscan then play with anyone else.  The whole thing could be built on topof OpenID, for example. 

Perhaps this doesn't quite work.  I notice that the Flickr APIs don'tdo this, and instead have non-browsers establish a session with aclient-generated unique key ("frob").  But this requires that users endup looking at a browser screen that tells them to return to theirapplication to re-try the request.  Which the above scheme couldcertainly do as well, by making the succUrl point at such a page.  Sois there a reason why Flickr doesn't redirect?  There's likely a gapingsecurity hole here that I'm just missing.