Cross-domain authentication using identity.kde.org
Ben Cooksley
bcooksley at kde.org
Sun Apr 27 10:35:05 UTC 2014
On Sun, Apr 27, 2014 at 10:32 PM, Alexander Potashev
<aspotashev at gmail.com> wrote:
> 2014-04-25 15:11 GMT+04:00 Ben Cooksley <bcooksley at kde.org>:
>>> I'm going to create a new KDE-related web service to coordinate
>>> translators into Russian. To minimize the number of web accounts
>>> people have I would like to avoid storing passwords on my server.
>>> Instead, it sounds promising to use authentication through
>>> identity.kde.org, like you did at forum.kde.org.
>>>
>>> I need an advice on how to implement this. Thanks!
>>
>> At the moment this is conducted using standard LDAP login procedures.
>>
>> There are plans at some point to shift to a custom, secure login
>> protocol which would allow performing SSO - and ensure that only
>> Identity was responsible for taking usernames / passwords and
>> validating them.
>>
>> If you need any other details, please let me know.
>
> Hi Ben,
Hi Alexander,
>
> Does the usage of LDAP login mean that the web application behind
> forum.kde.org receives my login and password? This sounds insecure: if
Yes, the web applications for all sites that use KDE Identity
authentication temporarily receive your username and password.
They use it to verify your credentials and then discard them
immediately afterward - the username and password themselves are only
stored on Identity itself.
> someone hacks forum.kde.org, he could get all the passwords of people
> who login to the forum. And what if someone uses two-factor
> authentication at identity.kde.org - can they login to the forum with
> just the primary password?
Yes, only the primary password is needed.
This is one of the huge reasons why the new approach is necessary - a
lack of time means there simply isn't time to build it at the moment
though.
>
> --
> Alexander Potashev
Thanks,
Ben
More information about the kde-www
mailing list