Google has released an API for allowing external applications to authenticate against its user database. I’m not going to let Google manage the identities of my users, but this product does exactly what I need an authentication system to do, so I may copy some parts of its design.
I have been using a Web-services based system in my applications, so my applications actually accept the user’s username and password and then query the service to authenticate the user. Google’s system uses a proxy and token-based system, so users never type their Google password into a third party application. Instead the requests are passed off to a Web page run by Google, and Google hands back a token to the calling application indicating whether or not authentication was successful.
I’m going to have to do something similar due to certificate issues. I want to run applications outside SSL, but I want users to submit their passwords on an encrypted link. Rather than running applications under self-signed certificates and throwing a warning to every user or buying even more certificates from the weasels in the certificate industry, I’m trying to build a proxy-based authentication system. I expect that Google’s system will provide some good ideas for what we’re trying to do.
June 30, 2006 at 3:12 pm
I assume you know about JA-SIG’s CAS? (Not that you are using Java these days.) I saw a presentation by the guy (Shawn Bayern) who designed and wrote the original version of CAS, and I was so inspired, I reimplemented it twice. Once for my personal projects, once at my old job.
June 30, 2006 at 3:14 pm
Btw this is exactly the way Flickr auth works.
July 2, 2006 at 8:33 pm
Why are the weasels in the certificate industry such weasels?
July 6, 2006 at 7:17 pm
I take it back they ask the user to give their password to the 3rd party app. That ain’t anything like Flickr. (though only in one usage mode)