Sign in to follow this  

[web] Cross site authentication for social networking

This topic is 3573 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Say I own one web site, and I want to make it available to users of another web site, which I don't own. The first site would use the user's publicly visible data from that second site (in accordance with privacy policies, copyright, Terms of Use, etc) as part of its content, as authorised by that user. How can I authenticate that a person on Site 1 is actually a given person on the other site? What methods are available, and how much cooperation will they need from the user, the other site, or both? One rudimentary example I've seen works along the lines of "insert this arbitrary string into your profile/journal temporarily to prove it's you". Site 1 then scrapes Site 2's HTML to find this key phrase and uses this to verify that the page or profile edited on Site 2 belongs to the current user. Another example might be to scrape an email address from Site 2 and send a secret key to that address, which has to be entered into Site 1 by the user. This will only be possible if they own that email address. It will also only be possible if Site 2 publishes email addresses. :) More secure methods might include direct communication between the 2 sites, or some sort of external ID (eg. OpenID), but I neither know much about such methods, or know whether they involve a great degree of cooperation from Site 2. What are the simplest and/or most standard approaches here?

Share this post


Link to post
Share on other sites
OpenID is probably a good solution for this. It has several avenues of authentication: providers like LiveJournal, Flickr, Yahoo, etc. explicitly support it, and there's also a "put this in your HTML" method which will work on blogs. Ultimately, of course, it comes down to the capabilities particular site. If I can't post content on the site, and don't have an email address on the site, in what way am I a "person on the site"?

Share this post


Link to post
Share on other sites
Unfortunately, I expect that compelling Site 2 to support OpenID is quite a big undertaking. Is there anything a bit more lightweight? And what's this about putting it in the HTML?

For my purposes, I'd assume the user of Site 2 can edit a personalised page in some way. I'm also interested in things Site 2 can do to confirm that a given person is indeed one of their members, if possible without requiring the user to enter their username and password into Site 1 to relay it across.

Share this post


Link to post
Share on other sites
Quote:
Original post by Kylotan
Unfortunately, I expect that compelling Site 2 to support OpenID is quite a big undertaking. Is there anything a bit more lightweight? And what's this about putting it in the HTML?

If the user can put a couple of tags in the <head> section of their webpage, they can securely and unambiguously claim that page as their own and relate it to their OpenID, regardless of whether Site 2 has ever even heard of OpenID.

Share this post


Link to post
Share on other sites
Quote:
Original post by Kylotan
Still, I'd expect 95% of places wouldn't let you tamper with the head tags as a mere user, so it's probably only useful for blogs and the like.

Indeed. OpenID is the only thing approaching "general" for cross-site authentication. Beyond that, you'll need to do per-site things, like having them insert a number into some useless personal information field (like ICQ number) or emailing them or having them post something.

Share this post


Link to post
Share on other sites
Unfortunately, the current state of things makes what you want to do incredibly difficult unless Site 2 has made attempts to allow you to do this. Although OpenID has been popular in tech areas recently, a vanishingly small number of people know what it is, know that they have one (millions of people have them), or care to use it. This is compounded by the fact that there are a lot of OpenID providers but relatively few OpenID consumers.

Further, OpenID is still not very user friendly. Entering a URL as a login is not intuitive today and most people with OpenIDs (for example, all the users of AIM) might not even know what that URL is. There are proposals to link an ID with an email address which would make life a lot easier, in my opinion, but right now they are just proposals. So, even if Site 2 supported OpenID you'd probably be fighting an uphill battle trying to get users to use it.

Realistically, right now I think your best option is to contact Site 2 and tell them what you'd like to do and see if they have any mechanism to help you out. If they dont, scraping for either an email address or some arbitrary piece of information is probably your only option.

Share this post


Link to post
Share on other sites
Is it feasible for site 2 to expose a web service through which site 1 can authenticate a user? If so, you would probably still require a simple login procedure on site 1 though.

Share this post


Link to post
Share on other sites
That's feasible, but it requires changes/additions to site 2 which you don't own.

To make this discussion a whole lot easier: which site(s) do you want to scrape to begin with? Some sites do provide things like an API which you can not only use to authenticate a user, but also to get at (some of) the content (which means you don't have to scrape HTML. Yay!)

Share this post


Link to post
Share on other sites
I'm not really asking how to do a specific thing, just wondering if there are ways I hadn't thought of. I'm also interested in what Site 2's API for authenticating a user to another site could be - if it involved you entering your Site 2 username and password into Site 1 then I can see that being unacceptable for many users.

Share this post


Link to post
Share on other sites
Quote:
Original post by Sander
That's feasible, but it requires changes/additions to site 2 which you don't own.

It's obviously technically possible (and not even that difficult), but I don't know what site 2 is prepared to do to make this easier. [smile]
Quote:
Original post by Kylotan
I'm not really asking how to do a specific thing, just wondering if there are ways I hadn't thought of. I'm also interested in what Site 2's API for authenticating a user to another site could be - if it involved you entering your Site 2 username and password into Site 1 then I can see that being unacceptable for many users.

To get this straight: say I'm visiting your website (site 1), do you need to be able to identify me (and only me) as WanMaster on GameDev? Or do you only need to be able to find out if a certain user name (WanMaster, Sander, Sneftel etc.) exists over at GameDev?

Share this post


Link to post
Share on other sites
I would need to verify that you are the owner/controller of the Wanmaster account on Gamedev.net, in order to make a semantic link between the 2 sites for that user. I appreciate that how you'd do this would vary between sites, because of the different amounts of control that a user has over his section of a site.

Share this post


Link to post
Share on other sites
Other than having the user add something on their page/profile (head tag, blog post etc.), I can think of one possible system but it will make things very complex and inflexible.

I'll use GameDev (site 2) and the your hypothetical web site (site 1) again. If you have an account at GameDev, you could ask me to send you a PM with some random code you provide me with on your site. Your site's web server could then log in into your GameDev account, go to the PM inbox page, search for the message and verify the code. Technically it's not impossible but it isn't exactly straightforward either. And it will require you to have an account and special interpreter for each third party web site, so it doesn't scale well. And every site needs to have some sort of one-to-one communication (private messages, friends list etc).

O well, just brainstorming.. :)

Share this post


Link to post
Share on other sites
Quote:
Original post by Kylotan
I'm not really asking how to do a specific thing, just wondering if there are ways I hadn't thought of. I'm also interested in what Site 2's API for authenticating a user to another site could be - if it involved you entering your Site 2 username and password into Site 1 then I can see that being unacceptable for many users.


There are a lot of so called "web 2.0" sites that do exactly that in order to work together with other social network sites. Usually it's just for one-time information copying so you could tell users that it's a one-time thing only and that they should change their password on site 2 after you're done.

But there are a lot of other possibilities. Think of it more as a site-specific OpenID-like construct. You could put a form (username only) or link on site 1 that takes you to a login page on site 2. After succesfull authentication on site 2, the user is redirected to a page on site 1. Something like:


<form method="post" action="http://site2.com/remote-authentication.html">
<input type="hidden" name="on-success" value="http://site1.com/success" />
<input type="hidden" name="on-failure" value="http://site1.com/error" />
<input type="text" name="site2-username" value="" />
</form>


It would need some extra protection so that users can't simply read the page source and browse to http://site1.com/success directly, but it's simple and it works. From there on you could make it as complex as you want. But all these system require cooperation of site 2 for the specific purpose of remote authentication.

Share this post


Link to post
Share on other sites

This topic is 3573 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this