[drupal-devel] remote auth and required email/password fields
Vladimir Zlatanov
vlado at dikini.net
Wed Mar 16 12:46:14 UTC 2005
> This is actually the insecure part of the whole Drupal remote auth
> process: You give your password to a foreign site.
> > Any thoughts on this? Your ideas would be greatly appreciated.
> An idea (proposed by somebody else) for secure remote auth would be to
> let the user authenticate at the "home server" and only send a "yes" or
> "no" to the remote server. The remote server would pass the session ID
> along and get it back if authentication was succesfull. I am not
> completely sure, if this process is safe from exploits, though.
It is not safe for a 'man in the middle' exploits. If somebody manages to pretend to be
the 'home server', the they rule.
It is possible though, to devise a scheme which can avoid that,
something along the lines:
prerequisite - some form of trust established between remote and home,
preferably some form of signing the messages.
---------------
user: remote, I want to login, I'm a foreign user my home site is xxx
remote: user, OK, then, I know of them, redirect to
http://xxx/remote/login/url
user: home, it's me and my password is ....
home: user, wait a bit
home: remote, user is fine [message signature]
home: user, redirect to remote/whatever
user: remote, show me whatever
----------------
A conversation like that is feasible, but is less flexible than
the current remote auth. Every software must support such a redirection,
login exchange scheme.
Redirection is good, since it will help to reduce the user clicks.
Between Drupal sites though it could be done.
This conversation roughly mimicks the conversations your web browser
make with key servers, to verify a certificate, so in spirit at least it
should be fine.
Vlado
More information about the drupal-devel
mailing list