| Following on the previous posts, I've now got an implementation at Ecademy. The API URL is http://www.ecademy.com/module.php?mod=foafnet This is what the user will need to paste in or choose from a drop down. It takes one extra parameter; "return". This is the URL where you want the user to come back to. Don't forget to urlencode this. So the requesting application needs to redirect to http://www.ecademy.com/module.php?mod=foafnet&return=return_url for example:- http://www.ecademy.com/module.php?mod=foafnet&return=http://www.voidstar.com The URL above takes the user to a login form. If they're already logged in to Ecademy they just get an Approve button. On hitting the Approve button or supplying a valid ID+Password they are redirected back to my_url with "foaf=url_to_get_your_foaf_from_Ecademy" appended on the end. The foaf variable is the one time URL to collect the FOAF. It's escaped so you'll need to urldecode it before using. It's typically something like http://ecademy.com/module.php?module.php&mod=foafnet&op=foaf&hash=a_hash a_hash is the first 16 chars of an MD5. The URL will work for 5 minutes and will have checks for validity and that the domain requesting the foaf is the same one that was in my_url. The hash will only work one time. For the moment all but the 5 minute check are commented out. If any of the checks fail you'll get an empty http page. This could be something like a 404. The FOAF returned includes all the contact and private info I have. So including all the stuff I normally keep out of the public FOAF like mbox, street address, post/zipcode and so on. The receiving application at my_url needs to pick up the FOAF URL from the foaf CGI variable, use curl or something like it to collect the foaf, parse it and then do something useful with it before displaying some UI. Assuming you've got an Ecademy account, you can test all this in a browser with a bit of cut and paste. Behind the scenes at Ecademy, I've got a table of valid hashes. This has the requesting domain, a timestamp, the Ecademy ID# of the user providing the approval and the hash. When the FOAF is requested, the hash is looked up in the table, the timestamp and domain checked, the hash regenerated and compared. If everything checks out the FOAF is returned and the record deleted. This is all very similar to work done by myUID for remote authentication. I'm going to work on seeing if I can extend it to provide an open implementation of single sign on. Something I've been wanting to do for a year now. Incidentally, a couple of days ago, I changed the Ecademy FOAF so that if you're logged in, and you request your FOAF, it bypasses the privacy controls and gives you a FOAF file with all your contact data in it. The implementation above gives you a way of telling a third party to get the same FOAF without giving them your Ecademy ID and Password. |
[ << FOAFnet Authentication - A proposal ] [ FOAFnet Authentication - Auto-discovery >> ]
[ 31-Jul-04 9:12am ]
