Mark (poisonkitty) wrote in lj_dev,

Distributed Authentication on LJ


I've been working on revising the distributed authentication system for Drupal, and I would like to apply some of the features to livejournal. Drupal currently has a livejournal auth module, but I don't like the design for one primary reason: it requires LJ users to enter their passwords on my server. That requires a level of trust that will greatly hinder the use of my site. Besides, I don't want the responsibility of securing LJ users' passwords from theft.

I don't know if there is any interest from LJ developers in supporting securely authenticated access by third-party sites, and I would understand if this suggestion was rejected. However, I have personal interest in this considering the bulk of my online friends have livejournal accounts ;)

Here's the basic proposal for an authentication scheme:

user: remote, I want to login, and I'm an LJ user. My LJ username is poisonkitty

remote: user, OK, then, I know of, redirect to

user: LJ, it's me, and I want to grant LJ [post|edit|comment|whatever] access to remote site and my password is ....

LJ: user, wait a bit

LJ: remote, user is fine [message signature, session cookie]

LJ: user, redirect to remote/whatever

user: remote, show me whatever and [post|edit|comment|whatever] to LJ on my behalf while LJ session is valid

This has been reworded for livejournal, but hopefully, you get the point. My goal as a web developer is to develop online tools that act on behalf of the user without having intimate knowledge of their security credentials. I believe the above authentication process addresses all of the basic needs of this approach.

This feature would open up many opportunities for external interaction. In the past, when the notion of posting content on behalf of LJ users was presented, the primary conflict had to do with divulging LJ passwords, and I think that would no longer be necessary with this approach.

Thanks for your time.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded