I'm at IIW right now and also hacking away on OpenAuth and Blogs. Which does make sense since the people I need to talk to about how it should work are mostly here, with the exception of Praveen, who for some inexplicable reason prefers France.
So far so good; this curl command posts a blog entry on my Atom blog service:
curl -k -v -sS --include --location-trusted --request POST --url'https://monotreme:4279/_atom/collection/blogssmoketester' --data@/tmp/ieRN0zhgh6 --header 'Content-Type: application/atom+xml;charset=utf-8' --header 'Authorization: OpenAuthtoken="%2FwEAAAAABYgbMtk4J7Zwqd8WHKjNF6fgJSYe4RhTuitkNyip%2BEru%2FY43vaGyE2fTlxKPAEkBC%2Bf5lhWg18CE2gaQtTVQy0rpillqtUVOOtrf1%2BLzE%2BNTcBuFJuLssU%2B6sc0%3D"devid="co1dDRMvlgZJXvWK"'
Note that the token, which gives authorization and authentication, is obtained with a separate login call to an internal OpenAuth server. It looks like I need both the token and the devid; the devid essentially identifies the agent representing the user.
I should be able to post this curl command line with impunity because it shouldn't expose any private data, unlike the HTTP Basic Auth equivalent which exposes the user's password in nearly clear text. This also implies that it should be possible to avoid using TLS.
Now, if I had a standard way to get a token for an OpenID session, I could pass that in like so:
Authorization: OpenID token="...."
And my server will advertise that it accepts all three -- Basic, OpenAuth, and OpenID. I hope to talk with like minded people about this at IIW.