[drupal-devel] remote auth and required email/password fields

Vladimir Zlatanov vlado at dikini.net
Wed Mar 16 12:46:14 UTC 2005

> This is actually the insecure part of the whole Drupal remote auth
> process: You give your password to a foreign site.
> > Any thoughts on this?  Your ideas would be greatly appreciated.

> An idea (proposed by somebody else) for secure remote auth would be to
> let the user authenticate at the "home server" and only send a "yes" or
> "no" to the remote server. The remote server would pass the session ID
> along and get it back if authentication was succesfull. I am not
> completely sure, if this process is safe from exploits, though.
It is not safe for a 'man in the middle' exploits. If somebody manages to pretend to be
the 'home server', the they rule.

It is possible though, to devise a scheme which can avoid that,
something along the lines:
prerequisite - some form of trust established between remote and home,
preferably some form of signing the messages.

user: remote, I want to login, I'm a foreign user my home site is xxx

remote: user, OK, then, I know of them, redirect to

user: home, it's me and my password is ....

home: user, wait a bit

home: remote, user is fine [message signature]

home: user, redirect to remote/whatever

user: remote, show me whatever

A conversation like that is feasible, but is less flexible than
the current remote auth. Every software must support such a redirection,
login exchange scheme.

Redirection is good, since it will help to reduce the user clicks.

Between Drupal sites though it could be done.
This conversation roughly mimicks the conversations your web browser
make with key servers, to verify a certificate, so in spirit at least it
should be fine.


More information about the drupal-devel mailing list