Google has released an API for allowing external applications to authenticate against its user database. I’m not going to let Google manage the identities of my users, but this product does exactly what I need an authentication system to do, so I may copy some parts of its design.
I have been using a Web-services based system in my applications, so my applications actually accept the user’s username and password and then query the service to authenticate the user. Google’s system uses a proxy and token-based system, so users never type their Google password into a third party application. Instead the requests are passed off to a Web page run by Google, and Google hands back a token to the calling application indicating whether or not authentication was successful.
I’m going to have to do something similar due to certificate issues. I want to run applications outside SSL, but I want users to submit their passwords on an encrypted link. Rather than running applications under self-signed certificates and throwing a warning to every user or buying even more certificates from the weasels in the certificate industry, I’m trying to build a proxy-based authentication system. I expect that Google’s system will provide some good ideas for what we’re trying to do.