Global ID Web Gateway

Something else for Armagetron? Goody!
Post Reply
User avatar
afrothunder
On Lightcycle Grid
Posts: 14
Joined: Sun Dec 07, 2008 7:28 am
Contact:

Global ID Web Gateway

Post by afrothunder »

I've had my own implementation of the gateway described at http://wiki.armagetronad.org/index.php? ... he_gateway for a while but recently put together a public way of accessing it that I'd like to share. Perhaps someone might find use of it for their own websites.

(Note that all of the cons listed there for a centralized gateway apply. If you use this you'll just have to trust me to not steal passwords basically. EDIT: Unless your browser has Javascript enabled! See: http://forums3.armagetronad.net/viewtop ... 96#p266996)

Essentially how my gateway works is that a website using it has a login link going to http://afroservers.com/login/?redirector={URL} where {URL} is a base64 encoded url of where the form should redirect to after login. After successful login, the gateway redirects to the supplied url with an encrypted copy of the authenticated Global ID as a POST variable named auth, to ensure that the supplied Global ID is coming from the expected source. The attached PHP library has an aa_get_globalid function that uses a public RSA key to decrypt the Global ID. (Users not using PHP will have to copy the public key from the top of the library script and use their own decryption function compatible with PHP's openssl_public_decrypt).

The attached archive includes the client-end PHP library and an extremely simple test implementation.

Those who are inclined to make their own login form instead of using the supplied one should note that my server code does some checks to help ensure the authentic login form was used. This is to minimize password phishing potential.

Of course, the gateway should work with all Global IDs, not just ones from afroservers.

Let me know if you find this interesting/end up using it somewhere!
Attachments
afroauth.zip
(1.11 KiB) Downloaded 271 times
Last edited by afrothunder on Wed Aug 01, 2012 7:20 am, edited 1 time in total.
nux
Round Winner
Posts: 206
Joined: Mon Sep 12, 2011 11:20 pm

Re: Global ID Web Gateway

Post by nux »

If you use this you'll just have to trust me to not steal passwords basically
No.
There's a difference between knowing your shit, and knowing you're shit. Grammar does matter.
User avatar
afrothunder
On Lightcycle Grid
Posts: 14
Joined: Sun Dec 07, 2008 7:28 am
Contact:

Re: Global ID Web Gateway

Post by afrothunder »

nux wrote:
If you use this you'll just have to trust me to not steal passwords basically
No.
I know. It's a big concern :(

I'm open to any ideas around it.
nux
Round Winner
Posts: 206
Joined: Mon Sep 12, 2011 11:20 pm

Re: Global ID Web Gateway

Post by nux »

The big sites use tokens, maybe they can be implemented here as well. I dont want to start a "standards" discussion here, but the code should be more readable and with a char limit per line.
There's a difference between knowing your shit, and knowing you're shit. Grammar does matter.
User avatar
afrothunder
On Lightcycle Grid
Posts: 14
Joined: Sun Dec 07, 2008 7:28 am
Contact:

Re: Global ID Web Gateway

Post by afrothunder »

nux wrote:The big sites use tokens, maybe they can be implemented here as well. I dont want to start a "standards" discussion here, but the code should be more readable and with a char limit per line.
Sorry if I'm not understanding, but how would I use tokens to get around needing the password to send off to the authority server?

EDIT: I've updated the login form to use Javascript to do the password hashing (with authority prefixes and suffixes) client-end when possible. This should minimize any actual password transfer to the rare cases where Javascript isn't available. Inspection of the method used in the login form's Javascript is, of course, welcome.
epsy
Adjust Outside Corner Grinder
Posts: 2003
Joined: Tue Nov 07, 2006 6:02 pm
Location: paris
Contact:

Re: Global ID Web Gateway

Post by epsy »

User avatar
afrothunder
On Lightcycle Grid
Posts: 14
Joined: Sun Dec 07, 2008 7:28 am
Contact:

Re: Global ID Web Gateway

Post by afrothunder »

epsy wrote:The following are PHP implementations for http://wiki.armagetronad.org/index.php? ... ly_Trinity . They don't involve giving your password to a middleman.

https://code.launchpad.net/~armagetrona ... erver-work
https://code.launchpad.net/~armagetrona ... lient-work
Using webform is optimal, but I don't think it's reliably supported at enough authorities to be relied on :(

Unless I'm mistaken it doesn't even seem to be available for @forums

The scripting used on the login form does the hashing before anything gets sent to the gateway. Is this different from what happens in-game?
epsy
Adjust Outside Corner Grinder
Posts: 2003
Joined: Tue Nov 07, 2006 6:02 pm
Location: paris
Contact:

Re: Global ID Web Gateway

Post by epsy »

Yes, because the code that does this is issued by the gateway and not by a trusted source. Which defeats the whole object of having auth done by someone else.

As for webform, I'm not too happy about it, and no, few authorities if any allow it. I want the consumer not to have to store any data until the auth server says "Yes that is John". With the current webform auth it has to store stuff. Not practical.
User avatar
afrothunder
On Lightcycle Grid
Posts: 14
Joined: Sun Dec 07, 2008 7:28 am
Contact:

Re: Global ID Web Gateway

Post by afrothunder »

epsy wrote:Yes, because the code that does this is issued by the gateway and not by a trusted source. Which defeats the whole object of having auth done by someone else.

As for webform, I'm not too happy about it, and no, few authorities if any allow it. I want the consumer not to have to store any data until the auth server says "Yes that is John". With the current webform auth it has to store stuff. Not practical.
Maybe we could have the gateway (either from my source or built from the ground up, doesn't matter as its useful either way) hosted at armagetronad.net? It's still centralized and the hashing code is still loaded remotely but as far as centralized goes that is as trusted as we can get I think. (And theres no way around loading the hashing code remotely without a predownloaded web plugin of some sort. This could be possible and maybe bundled with the game, but it seems like a really bothersome solution.)

Webform wise, I just spent the time making sure its operational on my own authority, so at least theres now one more that supports it :/
Post Reply