Seemless Single Signon
Sam Ruby
rubys at intertwingly.net
Fri May 20 06:39:27 PDT 2005
Martin Atkins wrote:
> Sam Ruby wrote:
>
>> I've seen greasemonkey and bookmarklets mentioned in this mailing
>> list, but only in the context of pre-filling in fields and the like.
>>
>> So much more is possible. Much more.
>>
>> If you recognize that the desired end result is a specific DSA
>> signature, and that many of the clients are able to perform logic and
>> via the user at the keyboard potentially have access to all the same
>> secrets that the server has, you can streamline everything.
>>
>> - - -
>>
>> Brief outline, from a user's perspective. I'll pick greasemonkey, but
>> I imagine once a proof of concept exists, fans of other browsers will
>> quickly provide equivalents.
>>
>> 1) User installs greasemonkey script. Possibly tailors a few things
>> like how long logins are valid for (paranoid=5 minutes, normal=1 hour,
>> unconcerned=1 day).
>>
>> 2) User visits web page. The Verify button is replaced with a login
>> button. User enters the URI and presses login. This pops up a window
>> locally and prompts for a master password. Once the user enters the
>> correct password, the popup goes away, the input field becomes
>> readonly, and the login button gets replaced with a logout button.
>> Note: no server interaction, no delays occur. User continues and
>> ultimately submits the form.
>>
>> 3) User visits a second web page, on a different site, before the
>> login expires. The URI is again prefilled in, is again readonly, and
>> the verify button is again replaced with a logout button. The user
>> need not perform any overt action to continue.
>
> The login tokens (signatures) can't be shared between different sites
> because the return URL is part of the signature. Also, the token must be
> generated by a publically-accessible identity server on a per-site basis
> because eventually this signature will be validated by the destination
> server using the identity server's public key.
>
> Once the sharing of tokens between sites is removed, this reduces down
> to essentially what I was talking about initially: you get a "Log In
> with OpenID!" button which you can click, and the script knows what your
> Identity URL and ID server are so it can go off and fetch the signature.
Nothing is shared between sites.
There is no need to involve my server during the composition of my request.
Everything necessary to compose a message which is signed with
information unique to my server can be done locally, in javascript.
And it can all be done with out any user interaction.
- Sam Ruby
More information about the yadis
mailing list