Strong opinions, weakly held

Use no, copy maybe

Google has released an API for allowing external applications to authenticate against its user database. I’m not going to let Google manage the identities of my users, but this product does exactly what I need an authentication system to do, so I may copy some parts of its design.

I have been using a Web-services based system in my applications, so my applications actually accept the user’s username and password and then query the service to authenticate the user. Google’s system uses a proxy and token-based system, so users never type their Google password into a third party application. Instead the requests are passed off to a Web page run by Google, and Google hands back a token to the calling application indicating whether or not authentication was successful.

I’m going to have to do something similar due to certificate issues. I want to run applications outside SSL, but I want users to submit their passwords on an encrypted link. Rather than running applications under self-signed certificates and throwing a warning to every user or buying even more certificates from the weasels in the certificate industry, I’m trying to build a proxy-based authentication system. I expect that Google’s system will provide some good ideas for what we’re trying to do.


  1. I assume you know about JA-SIG’s CAS? (Not that you are using Java these days.) I saw a presentation by the guy (Shawn Bayern) who designed and wrote the original version of CAS, and I was so inspired, I reimplemented it twice. Once for my personal projects, once at my old job.

  2. Btw this is exactly the way Flickr auth works.

  3. Why are the weasels in the certificate industry such weasels?

  4. I take it back they ask the user to give their password to the 3rd party app. That ain’t anything like Flickr. (though only in one usage mode)

Leave a Reply

Your email address will not be published.


© 2019 rc3.org

Theme by Anders NorenUp ↑