-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPROTOCOL.txt
81 lines (64 loc) · 3.18 KB
/
PROTOCOL.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
The SYSTEM
----------
The SYSTEM allows remote services to outsource authentication
of its users to a centralized authority - the SYSTEM.
Design Considerations
---------------------
The SYSTEM allows an authentication client ("service") to associate
a local "identifier" (e.g. a session or any method of identifying
individuals across requests) with a unique user and specific information
about that user ("attributes"), without having to implement local
authentication measures or being required to store the attributes locally
(though that might be beneficial for some applications).
Upon first use of a service, the user is presented with a review of
which attributes the service requested and asked to authorize acess
by the service ("association").
Associations persist across identifiers and can thus be reused (auto sign-on).
The user may revoke associations at any time using the management interface.
Communication between the SYSTEM and the service is authenticated by a
pre-shared user/secret pair and may optionally be protected by TLS.
Authentication Protocol
-----------------------
The service refers the user to the SYSTEM verification endpoint, passing
its service handle, an identifier of its choice and a comma-separated list
of requested attributes as GET parameters.
Example URL:
https://account.kitinfo.de/verify/ | Endpoint
?service=demo | Service Handle
&ident=sess_42 | Session Identifier
&req=unique_id,username | Requested Attributes
The SYSTEM will then authenticate the user against its database, and if
no active association for the requesting service exists, require the users
confirmation for creating one.
Having found an active association, the SYSTEM will perform a HTTP POST request
against the requesting services endpoint, identifying itself with the
pre-shared user/password pair in HTTP Basic Authentication. The request contains
the requested attributes (as confirmed by the user) as well as a session token as
POSTDATA parameters.
The token is computed as the sha256 hash of the concatenation of the provided
session identifier and the pre-shared service password.
The user is finally redirected to the specified service redirect target.
Setting up a service
--------------------
Log on to your SYSTEM account. The management panel contains an interface
for the registration of remote services. Provide the requested information.
Handle
The unique shorthand indentifier for your service
Endpoint
The authentication endpoint to be called for your service
Redirect
Where to send the user after successfully authenticating
and confirming to use your service
Protocol
Authentication protocol to use with your endpoint -
currently not selectable
Upon submission of the data, the service credentials are shown ONCE and must
immediately be set up with the service.
Closing Remarks
---------------
Before using or implementing this protocol, consider that it has not been audited
in any regard, neither in aspects of cryptographic security nor efficiency or any
other relevant criteria.
Should you plan on using the protocol for any application requiring a great deal
of safety and/or security, please have it audited first and inform the authors of
the results.