March 18th, 2005

mah skull

Distributed Authentication on LJ


I've been working on revising the distributed authentication system for Drupal, and I would like to apply some of the features to livejournal. Drupal currently has a livejournal auth module, but I don't like the design for one primary reason: it requires LJ users to enter their passwords on my server. That requires a level of trust that will greatly hinder the use of my site. Besides, I don't want the responsibility of securing LJ users' passwords from theft.

I don't know if there is any interest from LJ developers in supporting securely authenticated access by third-party sites, and I would understand if this suggestion was rejected. However, I have personal interest in this considering the bulk of my online friends have livejournal accounts ;)

Here's the basic proposal for an authentication scheme:

user: remote, I want to login, and I'm an LJ user. My LJ username is poisonkitty

remote: user, OK, then, I know of, redirect to

user: LJ, it's me, and I want to grant LJ [post|edit|comment|whatever] access to remote site and my password is ....

LJ: user, wait a bit

LJ: remote, user is fine [message signature, session cookie]

LJ: user, redirect to remote/whatever

user: remote, show me whatever and [post|edit|comment|whatever] to LJ on my behalf while LJ session is valid

This has been reworded for livejournal, but hopefully, you get the point. My goal as a web developer is to develop online tools that act on behalf of the user without having intimate knowledge of their security credentials. I believe the above authentication process addresses all of the basic needs of this approach.

This feature would open up many opportunities for external interaction. In the past, when the notion of posting content on behalf of LJ users was presented, the primary conflict had to do with divulging LJ passwords, and I think that would no longer be necessary with this approach.

Thanks for your time.

data loss?

since this might be the most read area for the more technical minded of lj, it seems that a db cluster has experienced data loss. this begs several questions.

one, was the data loss permanent? if so, what happened?

two, what mechanisms are in place to support restoration and at what interval are those milestones kept?

if there is a more appropriate place for this, feel free to redirect.