|Distributed Authentication on LJ
||[Mar. 18th, 2005|07:31 pm]
I've been working on revising the distributed authentication system for Drupal, and I would like to apply some of the features to livejournal. Drupal currently has a livejournal auth module, but I don't like the design for one primary reason: it requires LJ users to enter their passwords on my server. That requires a level of trust that will greatly hinder the use of my site. Besides, I don't want the responsibility of securing LJ users' passwords from theft.
I don't know if there is any interest from LJ developers in supporting securely authenticated access by third-party sites, and I would understand if this suggestion was rejected. However, I have personal interest in this considering the bulk of my online friends have livejournal accounts ;)
Here's the basic proposal for an authentication scheme:
user: remote, I want to login, and I'm an LJ user. My LJ username is poisonkitty
remote: user, OK, then, I know of livejournal.com, redirect to http://livejournal.com/remote/login/url
user: LJ, it's me, and I want to grant LJ [post|edit|comment|whatever] access to remote site and my password is ....
LJ: user, wait a bit
LJ: remote, user is fine [message signature, session cookie]
LJ: user, redirect to remote/whatever
user: remote, show me whatever and [post|edit|comment|whatever] to LJ on my behalf while LJ session is valid
This has been reworded for livejournal, but hopefully, you get the point. My goal as a web developer is to develop online tools that act on behalf of the user without having intimate knowledge of their security credentials. I believe the above authentication process addresses all of the basic needs of this approach.
This feature would open up many opportunities for external interaction. In the past, when the notion of posting content on behalf of LJ users was presented, the primary conflict had to do with divulging LJ passwords, and I think that would no longer be necessary with this approach.
Thanks for your time.