Seemless Single Signon
Martin Atkins
mart at degeneration.co.uk
Fri May 20 06:29:25 PDT 2005
Sam Ruby wrote:
> I've seen greasemonkey and bookmarklets mentioned in this mailing list,
> but only in the context of pre-filling in fields and the like.
>
> So much more is possible. Much more.
>
> If you recognize that the desired end result is a specific DSA
> signature, and that many of the clients are able to perform logic and
> via the user at the keyboard potentially have access to all the same
> secrets that the server has, you can streamline everything.
>
> - - -
>
> Brief outline, from a user's perspective. I'll pick greasemonkey, but I
> imagine once a proof of concept exists, fans of other browsers will
> quickly provide equivalents.
>
> 1) User installs greasemonkey script. Possibly tailors a few things
> like how long logins are valid for (paranoid=5 minutes, normal=1 hour,
> unconcerned=1 day).
>
> 2) User visits web page. The Verify button is replaced with a login
> button. User enters the URI and presses login. This pops up a window
> locally and prompts for a master password. Once the user enters the
> correct password, the popup goes away, the input field becomes readonly,
> and the login button gets replaced with a logout button. Note: no
> server interaction, no delays occur. User continues and ultimately
> submits the form.
>
> 3) User visits a second web page, on a different site, before the login
> expires. The URI is again prefilled in, is again readonly, and the
> verify button is again replaced with a logout button. The user need not
> perform any overt action to continue.
>
The login tokens (signatures) can't be shared between different sites
because the return URL is part of the signature. Also, the token must be
generated by a publically-accessible identity server on a per-site basis
because eventually this signature will be validated by the destination
server using the identity server's public key.
Once the sharing of tokens between sites is removed, this reduces down
to essentially what I was talking about initially: you get a "Log In
with OpenID!" button which you can click, and the script knows what your
Identity URL and ID server are so it can go off and fetch the signature.
More information about the yadis
mailing list