| Here's a proposal for a low tech, de-centralized, remote authentication system with profile management. It's aimed at all those low security situations where you need to login to a website but don't want to go through the hassle of creating an authenticated profile. The basic approach is a simple web service. This web service should support and be implemented in XML-RPC, ReST and SOAP (in order of priority). It would take two string parameters; an ID and password. It would return True or False. This service would usually be available in a standard location (say "remote.login", /xmlrpc/, port 80) or can be found via some auto-discovery mechanism such as RSD. The intention is that this web service is widely implemented either as standalone CGI files on personal websites, or as a service on more centralised systems like Typepad, Slashdot, etc etc. On the server side, anyone building systems that require login but are not overly concerned about security should add support for external authentication. If the user types in something like ID: foo@bar.com it will pass foo and the password to the web service at bar.com. If it returns true, then either log the person in against foo@bar.com or create a user record linked to foo@bar.com and log them in against it. For this to get widespread implementation at least three things are needed. 1) Simple stand alone CGI programs in the major languages (eg perl, php, python, or whatever) that implement the service. These should include a minimally simple interface to maintain a fairly short list of ID/Password pairs. 2) A set of toolkits in all the major languages for server-side applications to implement both sides of remote login. 3) Support for remote login built into successfull apps like slash, php-nuke, movable-type, blogger, etc etc. Extensions and Issues The biggest issue I see is that there is minimal security and minimal hiding of passwords but this doesn't actually matter. We're not trying to replace Passport, Liberty or PingID. What we are doing is creating a standard for those tens of thousands of websites that need minimal authentication. Many of us currently solve this by using the same ID and Password wherever possible. This system formalises this by letting us control that common ID-Password ourselves in one place. It also avoids the problem of having to create jbond23, jbond23uk, j23bond and so on because jbond has already been taken. This idea immediately suggests some standard, possibly using FOAF, to let an end user or participating sites provide basic user profile information to a site that is creating a new user record. I have in mind some similar approach of minimal cgi program for de-centralization, toolkits for App coders and support in major platforms for a standardised foaf, vcard or similar set of data. This data could then be used to pre-populate user records. If this takes off, it'll need a name. Really Simple Authentication is appealing, but RSA is already taken... Simple External Authentication (SEA) looks possible. Acknowledgements This whole essay was inspired when I went back and had another look at the current state of Drupal. For a year or so Drupal has had a remote authentication system that let you log in to a Drupal site using an ID and password from another site. They currently have support for Drupal, Blogger, Delphi Forums, Manila, Yahoo, Jabber, LDAP. The code and techniques are admirably simple and would provide a good basis for the more general approach outlined above. http://drupal.org/node/view/312 You probably know about Deanspace http://www.deanspace.org/ which is based on Drupal. Every Deanspace site supports this style of remote auth. |
[ << Helen Murdoch chatting online now ] [ More on SEA (Simple External Authentication) >> ]
[ 23-Sep-03 10:09am ]
