RelMeAuth: Difference between revisions
(outline simple steps, open source implementations) |
GRegorLove (talk | contribs) m (s/<source>/<syntaxhighlight>/) |
||
(32 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
[[RelMeAuth]] is a proposed open standard for using [[rel-me]] links to profiles on [[OAuth]] supporting services to authenticate via either those profiles or your own site. | [[RelMeAuth]] is a proposed open standard for using [[rel-me]] links to profiles on [[OAuth]] supporting services to authenticate via either those profiles or your own site. | ||
RelMeAuth is the technology behind [[web-sign-in]]. | |||
<div class="vcard"> | |||
; <span class="role">Editor</span> | |||
: <span class="fn">[[User:Tantek|Tantek Çelik]]</span> (<span class="url">http://tantek.com/</span>) | |||
</div> | |||
== support RelMeAuth == | == support RelMeAuth == | ||
=== | === users === | ||
See [[web-sign-in]] | |||
Here's a more technical explanation: | |||
'''Use [[rel-me|rel="me"]] on your personal site, and enter your personal site as your web address on sites with [[web-sign-in]] (RelMeAuth).''' | |||
Steps: | |||
'''1. Add [[rel-me|rel="me"]] links to your other profiles.''' | |||
Add [[rel-me|rel="me"]] to links from your home page to your various profiles on other services. | Add [[rel-me|rel="me"]] to links from your home page to your various profiles on other services. | ||
'''2. Edit your other profiles to link back to your site.''' | |||
'''2. Edit your other profiles to link back to your | |||
Edit your other profiles and set their "home page" or "personal site" or "URL" field to your personal site. | Edit your other profiles and set their "home page" or "personal site" or "URL" field to your personal site. | ||
Line 26: | Line 29: | ||
'''3. There is no step 3. You're done.''' | '''3. There is no step 3. You're done.''' | ||
Now on any site that uses (Web sign-in) / RelMeAuth login (e.g. try [http://tantek.com/relmeauth/ the RelMeAuth prototype]), simply enter your personal site URL, and that site's RelMeAuth code will sign you in by authenticating you with one of the social profiles that you've linked to (e.g. Twitter). | |||
==== examples in the wild ==== | ==== examples in the wild ==== | ||
Line 31: | Line 36: | ||
Tantek's home page http://tantek.com/ has (simplified markup) | Tantek's home page http://tantek.com/ has (simplified markup) | ||
< | <syntaxhighlight lang="html"> | ||
<ul> | <ul> | ||
<li><a rel="me" href="http://twitter.com/t">Twitter: @t</a></li> | <li><a rel="me" href="http://twitter.com/t">Twitter: @t</a></li> | ||
<li><a rel="me" href="http://identi.ca/t">identi.ca: t</a></li> | <li><a rel="me" href="http://identi.ca/t">identi.ca: t</a></li> | ||
</ul> | </ul> | ||
</ | </syntaxhighlight> | ||
=== users with separate contact pages === | |||
'''But what if I prefer to have a separate contact or about page with my links to other profiles?''' | |||
If you prefer a simpler home page and have it link to a separate contact page that links to your other profiles, then | |||
# add [[rel-me|rel="me"]] to the link from your home page to your contact page | |||
# add [[rel-me|rel="me"]] to links from your contact page to those other profiles | |||
==== more examples in the wild ==== | |||
===== separate contact page ===== | ===== separate contact page ===== | ||
Jeremy Keith's home page http://adactio.com/ has (simplified markup) | Jeremy Keith's home page http://adactio.com/ has (simplified markup) | ||
< | <syntaxhighlight lang="html"> | ||
<ul> | <ul> | ||
<li><a rel="me" href="/journal/">Journal</a></li> | <li><a rel="me" href="/journal/">Journal</a></li> | ||
<li><a rel="me" href="/contact/">Contact</a></li> | <li><a rel="me" href="/contact/">Contact</a></li> | ||
</ul> | </ul> | ||
</ | </syntaxhighlight> | ||
and then also: | and then also: | ||
http://adactio.com/journal/ has (simplified markup) | http://adactio.com/journal/ has (simplified markup) | ||
< | <syntaxhighlight lang="html"> | ||
<ul> | <ul> | ||
<li><a rel="me" href="http://huffduffer.com/adactio/">Huffduffer</a></li> | <li><a rel="me" href="http://huffduffer.com/adactio/">Huffduffer</a></li> | ||
Line 63: | Line 79: | ||
<li><a rel="me" href="http://97bottles.com/people/adactio/">97 Bottles</a></li> | <li><a rel="me" href="http://97bottles.com/people/adactio/">97 Bottles</a></li> | ||
</ul> | </ul> | ||
</ | </syntaxhighlight> | ||
==== authentication preference ==== | ==== authentication preference ==== | ||
Line 69: | Line 85: | ||
=== profile sites === | === profile sites === | ||
Do you run a site with profiles? | |||
Any social network site or similar site that has user profile pages should: | Any social network site or similar site that has user profile pages should: | ||
# provide a [[user interface]] for a user to enter and publicly publish a URL back to their home page | # provide a [[user interface]] for a user to enter and publicly publish a URL back to their home page | ||
# publish a visible link with [[rel-me|rel="me"]] from user's profile page to their personal home page | # publish a visible link with [[rel-me|rel="me"]] from user's profile page to their personal home page | ||
Most | Most [[hcard-xfn-supporting-friends-lists#Services_with_XFN_rel.3D.22me.22_to_one_external_site|sites already do this]]. | ||
=== authentication sites === | |||
Do you run a site with user profiles that you want to let your users use to login to other sites? | |||
In addition to supporting rel-me as [[#profile_sites|described above]]: | |||
Any site that wants to allow users to login with their credentials from that site on 3rd party sites should: | Any site that wants to allow users to login with their credentials from that site on 3rd party sites should: | ||
# Support [[OAuth]] | # Support [[OAuth]] (2.0 even) | ||
# Follow Twitter's conventions for: | |||
#* endpoint paths and other protocol details | |||
#* mimic Twitter's user interface for authentication flow (on both desktop and mobile - they've done a great job) | |||
Sites that support both [[rel-me]] and are also [[OAuth]] | ==== RelMeAuth providers ==== | ||
Sites that support both [[rel-me]] and are also [[OAuth]] providers: | |||
* Twitter ([http://apiwiki.twitter.com/OAuth-Examples Twitter OAuth Examples]) | |||
* Google Profiles ([http://sites.google.com/site/oauthgoog/ Google OAuth documentation]) | * Google Profiles ([http://sites.google.com/site/oauthgoog/ Google OAuth documentation]) | ||
* Identi.ca (uses the same endpoint paths/details as Twitter) | * Identi.ca (uses the same endpoint paths/details as Twitter) | ||
* | * Github ([http://developer.github.com/v3/oauth/ Github OAuth 2 documentation]) | ||
* ... | * ... | ||
=== sites needing a user login === | === sites needing a user login === | ||
Any site that wants to let users login with | Do you have a site and want to let users login with their own identity? | ||
Any site that wants to let users login with their own identity should: | |||
# provide a user interface for users to enter or choose their preferred online identity (e.g. their own URL) | # provide a user interface for users to enter or choose their preferred online identity (e.g. their own URL) | ||
# perform RelMeAuth authentication as described below | # perform RelMeAuth authentication as described below | ||
== how it works == | == how it works == | ||
=== summary | === summary algorithm === | ||
Summary of the RelMeAuth authentication algorithm | Summary of the RelMeAuth authentication algorithm | ||
* input: a user identity (e.g. URL) to authenticate | * input: a user identity (URL) to authenticate | ||
* output: success or cancel authentication or no authenticatable URLs found | |||
# start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.) | |||
# iterate through their outbound rel-me links on the user identity URL (and any rel-me local subpages if necessary) | |||
## if | |||
### a rel-me destination is up (HTTP Get succeeded, following any redirects) | |||
### and rel-me links back to user identity URL | |||
### and has OAuth endpoint | |||
### then do OAuth authentication | |||
### if authentication succeeded, you're done, the user has been been authenticated with the user identity URL, exit | |||
### if it was rejected, the user canceled, thus cancel the entire authentication process, exit | |||
## continue iteration with the next rel-me link if any | |||
# no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error) | |||
=== detailed algorithm === | |||
{{main|relmeauth-algorithms}} | |||
* input: a user identity (URL) to authenticate | |||
* output: success or cancel authentication or no authenticatable URLs found | * output: success or cancel authentication or no authenticatable URLs found | ||
# start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.) | # start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.) | ||
# iterate through their outbound rel-me links on | ## if the identity URL is not user-owned (i.e. at a known silo domain), | ||
## then | |||
### the implementation should not accept it, and await user correction of the URL | |||
### the implementation may accept 1-2 silo domains for testing or demonstration purposes | |||
# if the URL is an IndieAuth provider | |||
# then try authenticating with it (we prefer the user's own site for auth) | |||
## if it succeeds, exit | |||
## if canceled, exit | |||
## otherwise continue | |||
# iterate through their outbound rel-me links on the user identity URL (first through direct rel-me links to external sites in order, then iterate through URLs deeper into the personal site in order, e.g. to a contacts page, and iterate through rel-me links from there to external sites in order, then the next breadth-first local rel-me page from the identity URL if necessary) | |||
## if | ## if | ||
### a rel-me destination is up (HTTP Get succeeded, following any redirects) | ### a rel-me destination is up (HTTP Get succeeded, following any redirects) | ||
### and rel-me links back to user | ### and rel-me links back to the user identity URL | ||
### and has OAuth endpoint | ### and has OAuth endpoint | ||
### then do OAuth authentication | ### then do OAuth authentication | ||
Line 112: | Line 165: | ||
## continue iteration with the next rel-me link if any | ## continue iteration with the next rel-me link if any | ||
# no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error) | # no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error) | ||
== Error Cases == | |||
Document things which can go wrong during the relmeauth process along with real world examples and what message should be shown to the end user to help them fix it. | |||
Let '''rel-me-url''' be the URL given by the user. | |||
'''The rel-me-url redirect chain includes a redirect where the scheme changes''' | |||
* Example: http://brennannovak.com redirects to https://brennannovak.com | |||
* Why is this a problem? … explain vulnerabilities for both directions here | |||
* What message should be presented to the user? Two cases: | |||
** If the insecure redirect only changed the scheme (as in the above example), tell them that they need to enter the https:// version of the URL | |||
*** Would it be acceptable to automatically restart the process using the secure URL? --[[User:Barnabywalters|bw]] 10:16, 8 October 2013 (UTC) | |||
*** What warning to give if a https:// URL redirects to a http:// URL? --[[User:Barnabywalters|bw]] 10:16, 8 October 2013 (UTC) | |||
** Otherwise, let them know there was an insecure redirect, as well as what it was. Bonus: explain how MITM attacks work and why they’re dangerous | |||
'''A reverse rel-me link’s redirect chain includes a redirect where the scheme changes''' | |||
* Example: … | |||
* Why is this a problem? … | |||
* What message should be presented to the user? | |||
== open source implementations == | == open source implementations == | ||
There are a couple of open source libraries that sites can use to implement RelMeAuth so their users can login using their own identities. | There are a couple of open source libraries that sites can use to implement RelMeAuth so their users can login using their own identities. | ||
=== Go === | |||
* https://github.com/hawx/relme-auth | |||
** Live demo site: https://auth.hawx.me/ | |||
=== Node.js === | |||
* https://www.npmjs.com/package/relmeauth | |||
* https://github.com/superfeedr/node-relmeauth | |||
=== Python === | === Python === | ||
Line 121: | Line 202: | ||
=== PHP === | === PHP === | ||
* [http://github.com/themattharris/relmeauth PHP RelMeAuth] by Matt Harris and Tantek Çelik | * [http://github.com/themattharris/relmeauth PHP RelMeAuth] by Matt Harris and Tantek Çelik | ||
** Live demo sites: | |||
*** http://tantek.com/relmeauth/ | |||
*** http://apps.themattharris.com/relmeauth/ (2022-09-15: site appears to be dead) | |||
=== Ruby === | |||
* [https://github.com/aaronpk/IndieAuth.com IndieAuth.com] (deprecated) by Aaron Parecki contains Ruby code for performing RelMeAuth authentication | |||
** To Do: Separate Ruby gem for Ruby implementation of RelMeAuth | |||
== to do == | |||
* update [[web-sign-in]] with some screenshots of auth screens (e.g. Twitter's OAuth flow with auth/read-only request, no write perms), or a picture of a lock or something. | |||
* create an Architecture Diagram for RelMeAuth per [http://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/ Mozilla Security Blog: Speeding Up Security Reviews] | |||
* create a Detailed Application Diagram for RelMeAuth per the same[http://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/]. | |||
* write-up Data flow enumeration per the same[http://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/]. | |||
* write-up a Threat Analysis per the same[http://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/]. | |||
* resolve and close issues (see below). | |||
== issues == | |||
If this gets too long, we can move it to [[relmeauth-issues]]. As issues are resolved/closed, please move them to [[relmeauth-issues-resolved]]/[[relmeauth-issues-closed]] respectively. | |||
<div class="issues"> | |||
* How do you find the OAuth endpoint for any given user profile site/service? -[[User:Tantek|Tantek]] | |||
** Use OAuth 2.0 discovery mechanism if supported | |||
** Use a whitelist of provider site to OAuth endpoint | |||
** Try the Twitter OAuth endpoint paths on other sites to see if they work - assuming that many OAuth providers will simply mimic Twitter's example as suggested. | |||
*** This discovery by convention technique will work for example on: | |||
**** http://identi.ca/ | |||
* How do you get an appID to use with any given site's OAuth? -[[User:Tantek|Tantek]] | |||
** This appears to still be a manual process, per site, and thus a legitimate limitation of RelMeAuth in comparison to say [[OpenID]]. | |||
*** Some services are supporting appkey/secret pair anonymous/anonymous for mobile/desktop apps already. Unsure how popular this is [[User:Singpolyma|Singpolyma]] 13:51, 23 April 2010 (UTC) | |||
* OAuth is for authorization, and as such gives the site I'm ident asserting to access to my account on the id service. This is very bad. Suggested solution: use OpenID instead. [[User:Singpolyma|Singpolyma]] 13:51, 23 April 2010 (UTC) | |||
** OAuth actually suggests granularity in access rather than blanket access ([http://tools.ietf.org/html/draft-hammer-oauth-10 OAuth IETF draft, see Sec 4.8]): <blockquote><p>When implementing this protocol, servers should consider the types of access resource owners may wish to grant clients, and should provide mechanisms to do so. Servers should also take care to ensure that resource owners understand the access they are granting, as well as any risks that may be involved.</p></blockquote>Thus for RelMeAuth purposes, the RelMeAuth "consumer"/library should ask merely for "authentication" rather than read, write, update, or delete access. One exception is the "share" scenario, where a site lets a user RelMeAuth login via another site (e.g. Twitter), and then provides a UI for the user to share from that site to Twitter - in that case request auth/read/write access granularity makes sense. [[User:Tantek|Tantek]] 22:46, 26 April 2010 (UTC) | |||
* After authing with OAuth, how do you know what user it is that auth'd? OAuth specifically does not tell you that information... [[User:Singpolyma|Singpolyma]] 13:54, 23 April 2010 (UTC) | |||
** Twitter provides user information via the OAuth token and their API, it is recommended that other OAuth providers follow this API convention while OAuth is evolved to provide to capability. [[User:Tantek|Tantek]] 22:46, 26 April 2010 (UTC) | |||
</div> | |||
== history == | == history == | ||
Line 129: | Line 246: | ||
<blockquote cite="http://tantek.com/2010/032/t6/relmeauth-oauth-rel-me-auto-fallback-authentication"><p> | <blockquote cite="http://tantek.com/2010/032/t6/relmeauth-oauth-rel-me-auto-fallback-authentication"><p> | ||
RelMeAuth works for any #OAuth + rel-me site, and enables auto-fallback with use of alternate identities for authentication:</p><ol><li>user enters their site URL</li><li>iterate through their outbound rel-me links</li><li>if <ol><li>a rel-me destination is up, and</li><li> rel-me links back to user's site, and</li><li>has OAuth endpoint,</li></ol> then do OAuth authentication.</li></ol><p>Thus user links to their RelMeAuth profiles in preference order, and authentication code tries them in order. e.g. Twitter, Identi.ca, ... etc.</p></blockquote> | RelMeAuth works for any #OAuth + rel-me site, and enables auto-fallback with use of alternate identities for authentication:</p><ol><li>user enters their site URL</li><li>iterate through their outbound rel-me links</li><li>if <ol><li>a rel-me destination is up, and</li><li> rel-me links back to user's site, and</li><li>has OAuth endpoint,</li></ol> then do OAuth authentication.</li></ol><p>Thus user links to their RelMeAuth profiles in preference order, and authentication code tries them in order. e.g. Twitter, Identi.ca, ... etc.</p></blockquote> | ||
Later that evening Tantek, Jeff Lindsay, Paul Tarjan and others discussed RelMeAuth at the [[events/2010-02-02-weekly-dinner-mv|microformats dinner in Mountain View]] and afterwards Jeff and Paul implemented RelMeAuth in an open source Python library at Hacker Dojo and discussed/tested it in IRC. | |||
http://krijnhoetmer.nl/irc-logs/microformats/20100203 | |||
Less than 24 hours from concept to open source implementation. | |||
== articles posts comments == | |||
* 2010-03-03 [http://simonwillison.net/2010/Mar/2/bewildering/#c60551 Blaine Cook] comment | |||
* 2010-02-16 [http://www.google.com/buzz/dclinton/HeMv1AQTXS8/Envisioning-decentralized-replies-and#1266371138608000 Tantek Çelik] comment re: user interface | |||
* 2010-02-06 [http://aaronparecki.com/RelMeAuth Aaron Parecki] wiki page | |||
== vendor specific sign in == | |||
The following vendor specific sign-in methods have succeeded and are in far greater use than previous efforts at user-centric URL identity (e.g. OpenID). | |||
http://hueniverse.com/wp-content/uploads/2009/09/Sign-in-with-Twitter.png | |||
http://4.mshcdn.com/wp-content/uploads/2009/04/facebook-twitter-connect.gif | |||
* Sign in with Twitter | |||
** 2009-04-16 [http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ Introducing ‘Sign-in with Twitter’, OAuth-Style “Connect”] | |||
** [https://dev.twitter.com/docs/auth/sign-twitter Sign in with Twitter developer home page] | |||
** [https://dev.twitter.com/docs/sign-twitter-resources Sign in with Twitter Resources] (more/latest buttons) | |||
* Connect with Facebook | |||
** ... | |||
See articles comparing/contrasting them: | |||
* 2009-04-18 [http://mashable.com/2009/04/18/twitter-facebook-connect/ Facebook Connect vs. Sign in with Twitter: Fight!] | |||
User-facing [[web-sign-in]] functionality (including "( Web sign-in )" button graphic) must be at least as simple, easy, and trustworthy as the these vendor specific sign in methods. | |||
== related == | |||
* [[rel-me]] | |||
* [[OAuth]] | |||
* [[hCard]] | |||
* [[OpenID]] |
Latest revision as of 21:36, 26 July 2023
RelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site.
RelMeAuth is the technology behind web-sign-in.
- Editor
- Tantek Çelik (http://tantek.com/)
support RelMeAuth
users
See web-sign-in
Here's a more technical explanation:
Use rel="me" on your personal site, and enter your personal site as your web address on sites with web-sign-in (RelMeAuth).
Steps:
1. Add rel="me" links to your other profiles.
Add rel="me" to links from your home page to your various profiles on other services.
2. Edit your other profiles to link back to your site.
Edit your other profiles and set their "home page" or "personal site" or "URL" field to your personal site.
Here's a list of profile sites that have URL fields and support rel-me.
3. There is no step 3. You're done.
Now on any site that uses (Web sign-in) / RelMeAuth login (e.g. try the RelMeAuth prototype), simply enter your personal site URL, and that site's RelMeAuth code will sign you in by authenticating you with one of the social profiles that you've linked to (e.g. Twitter).
examples in the wild
simple home page
Tantek's home page http://tantek.com/ has (simplified markup)
<ul>
<li><a rel="me" href="http://twitter.com/t">Twitter: @t</a></li>
<li><a rel="me" href="http://identi.ca/t">identi.ca: t</a></li>
</ul>
users with separate contact pages
But what if I prefer to have a separate contact or about page with my links to other profiles?
If you prefer a simpler home page and have it link to a separate contact page that links to your other profiles, then
- add rel="me" to the link from your home page to your contact page
- add rel="me" to links from your contact page to those other profiles
more examples in the wild
separate contact page
Jeremy Keith's home page http://adactio.com/ has (simplified markup)
<ul>
<li><a rel="me" href="/journal/">Journal</a></li>
<li><a rel="me" href="/contact/">Contact</a></li>
</ul>
and then also:
http://adactio.com/journal/ has (simplified markup)
<ul>
<li><a rel="me" href="http://huffduffer.com/adactio/">Huffduffer</a></li>
<li><a rel="me" href="http://twitter.com/adactio/">Twitter</a></li>
<li><a rel="me" href="http://adactio.tumblr.com/">Tumblr</a></li>
<li><a rel="me" href="http://www.last.fm/user/adactio/">Last.fm</a></li>
<li><a rel="me" href="http://www.dopplr.com/traveller/adactio/public">Dopplr</a></li>
<li><a rel="me" href="http://www.vimeo.com/user196031">Vimeo</a></li>
<li><a rel="me" href="http://ffffound.com/home/adactio/found/">Ffffound</a></li>
<li><a rel="me" href="http://readernaut.com/adactio">Readernaut</a></li>
<li><a rel="me" href="http://97bottles.com/people/adactio/">97 Bottles</a></li>
</ul>
authentication preference
If you have a specific preference for what service(s) to authenticate with, just make sure that you list links to your profiles on those other services in preference order (on your home page or contact page as described above).
profile sites
Do you run a site with profiles?
Any social network site or similar site that has user profile pages should:
- provide a user interface for a user to enter and publicly publish a URL back to their home page
- publish a visible link with rel="me" from user's profile page to their personal home page
Most sites already do this.
authentication sites
Do you run a site with user profiles that you want to let your users use to login to other sites?
In addition to supporting rel-me as described above:
Any site that wants to allow users to login with their credentials from that site on 3rd party sites should:
- Support OAuth (2.0 even)
- Follow Twitter's conventions for:
- endpoint paths and other protocol details
- mimic Twitter's user interface for authentication flow (on both desktop and mobile - they've done a great job)
RelMeAuth providers
Sites that support both rel-me and are also OAuth providers:
- Twitter (Twitter OAuth Examples)
- Google Profiles (Google OAuth documentation)
- Identi.ca (uses the same endpoint paths/details as Twitter)
- Github (Github OAuth 2 documentation)
- ...
sites needing a user login
Do you have a site and want to let users login with their own identity?
Any site that wants to let users login with their own identity should:
- provide a user interface for users to enter or choose their preferred online identity (e.g. their own URL)
- perform RelMeAuth authentication as described below
how it works
summary algorithm
Summary of the RelMeAuth authentication algorithm
- input: a user identity (URL) to authenticate
- output: success or cancel authentication or no authenticatable URLs found
- start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.)
- iterate through their outbound rel-me links on the user identity URL (and any rel-me local subpages if necessary)
- if
- a rel-me destination is up (HTTP Get succeeded, following any redirects)
- and rel-me links back to user identity URL
- and has OAuth endpoint
- then do OAuth authentication
- if authentication succeeded, you're done, the user has been been authenticated with the user identity URL, exit
- if it was rejected, the user canceled, thus cancel the entire authentication process, exit
- continue iteration with the next rel-me link if any
- if
- no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error)
detailed algorithm
- input: a user identity (URL) to authenticate
- output: success or cancel authentication or no authenticatable URLs found
- start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.)
- if the identity URL is not user-owned (i.e. at a known silo domain),
- then
- the implementation should not accept it, and await user correction of the URL
- the implementation may accept 1-2 silo domains for testing or demonstration purposes
- if the URL is an IndieAuth provider
- then try authenticating with it (we prefer the user's own site for auth)
- if it succeeds, exit
- if canceled, exit
- otherwise continue
- iterate through their outbound rel-me links on the user identity URL (first through direct rel-me links to external sites in order, then iterate through URLs deeper into the personal site in order, e.g. to a contacts page, and iterate through rel-me links from there to external sites in order, then the next breadth-first local rel-me page from the identity URL if necessary)
- if
- a rel-me destination is up (HTTP Get succeeded, following any redirects)
- and rel-me links back to the user identity URL
- and has OAuth endpoint
- then do OAuth authentication
- if authentication succeeded, you're done, the user has been been authenticated with the user identity URL, exit
- if it was rejected, the user canceled, thus cancel the entire authentication process, exit
- continue iteration with the next rel-me link if any
- if
- no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error)
Error Cases
Document things which can go wrong during the relmeauth process along with real world examples and what message should be shown to the end user to help them fix it.
Let rel-me-url be the URL given by the user.
The rel-me-url redirect chain includes a redirect where the scheme changes
- Example: http://brennannovak.com redirects to https://brennannovak.com
- Why is this a problem? … explain vulnerabilities for both directions here
- What message should be presented to the user? Two cases:
- If the insecure redirect only changed the scheme (as in the above example), tell them that they need to enter the https:// version of the URL
- Otherwise, let them know there was an insecure redirect, as well as what it was. Bonus: explain how MITM attacks work and why they’re dangerous
A reverse rel-me link’s redirect chain includes a redirect where the scheme changes
- Example: …
- Why is this a problem? …
- What message should be presented to the user?
open source implementations
There are a couple of open source libraries that sites can use to implement RelMeAuth so their users can login using their own identities.
Go
- https://github.com/hawx/relme-auth
- Live demo site: https://auth.hawx.me/
Node.js
Python
- Python RelMeAuth by Paul Tarjan and Jeff Lindsay
PHP
- PHP RelMeAuth by Matt Harris and Tantek Çelik
- Live demo sites:
- http://tantek.com/relmeauth/
- http://apps.themattharris.com/relmeauth/ (2022-09-15: site appears to be dead)
- Live demo sites:
Ruby
- IndieAuth.com (deprecated) by Aaron Parecki contains Ruby code for performing RelMeAuth authentication
- To Do: Separate Ruby gem for Ruby implementation of RelMeAuth
to do
- update web-sign-in with some screenshots of auth screens (e.g. Twitter's OAuth flow with auth/read-only request, no write perms), or a picture of a lock or something.
- create an Architecture Diagram for RelMeAuth per Mozilla Security Blog: Speeding Up Security Reviews
- create a Detailed Application Diagram for RelMeAuth per the same[1].
- write-up Data flow enumeration per the same[2].
- write-up a Threat Analysis per the same[3].
- resolve and close issues (see below).
issues
If this gets too long, we can move it to relmeauth-issues. As issues are resolved/closed, please move them to relmeauth-issues-resolved/relmeauth-issues-closed respectively.
- How do you find the OAuth endpoint for any given user profile site/service? -Tantek
- Use OAuth 2.0 discovery mechanism if supported
- Use a whitelist of provider site to OAuth endpoint
- Try the Twitter OAuth endpoint paths on other sites to see if they work - assuming that many OAuth providers will simply mimic Twitter's example as suggested.
- This discovery by convention technique will work for example on:
- How do you get an appID to use with any given site's OAuth? -Tantek
- This appears to still be a manual process, per site, and thus a legitimate limitation of RelMeAuth in comparison to say OpenID.
- Some services are supporting appkey/secret pair anonymous/anonymous for mobile/desktop apps already. Unsure how popular this is Singpolyma 13:51, 23 April 2010 (UTC)
- This appears to still be a manual process, per site, and thus a legitimate limitation of RelMeAuth in comparison to say OpenID.
- OAuth is for authorization, and as such gives the site I'm ident asserting to access to my account on the id service. This is very bad. Suggested solution: use OpenID instead. Singpolyma 13:51, 23 April 2010 (UTC)
- OAuth actually suggests granularity in access rather than blanket access (OAuth IETF draft, see Sec 4.8):
Thus for RelMeAuth purposes, the RelMeAuth "consumer"/library should ask merely for "authentication" rather than read, write, update, or delete access. One exception is the "share" scenario, where a site lets a user RelMeAuth login via another site (e.g. Twitter), and then provides a UI for the user to share from that site to Twitter - in that case request auth/read/write access granularity makes sense. Tantek 22:46, 26 April 2010 (UTC)When implementing this protocol, servers should consider the types of access resource owners may wish to grant clients, and should provide mechanisms to do so. Servers should also take care to ensure that resource owners understand the access they are granting, as well as any risks that may be involved.
- OAuth actually suggests granularity in access rather than blanket access (OAuth IETF draft, see Sec 4.8):
- After authing with OAuth, how do you know what user it is that auth'd? OAuth specifically does not tell you that information... Singpolyma 13:54, 23 April 2010 (UTC)
- Twitter provides user information via the OAuth token and their API, it is recommended that other OAuth providers follow this API convention while OAuth is evolved to provide to capability. Tantek 22:46, 26 April 2010 (UTC)
history
On 2010-02-01 Tantek introduced the basis for and Jeff Lindsay suggested the name for RelMeAuth.
In a follow-up Tantek suggested the following simple protocol for RelMeAuth:
RelMeAuth works for any #OAuth + rel-me site, and enables auto-fallback with use of alternate identities for authentication:
- user enters their site URL
- iterate through their outbound rel-me links
- if
then do OAuth authentication.
- a rel-me destination is up, and
- rel-me links back to user's site, and
- has OAuth endpoint,
Thus user links to their RelMeAuth profiles in preference order, and authentication code tries them in order. e.g. Twitter, Identi.ca, ... etc.
Later that evening Tantek, Jeff Lindsay, Paul Tarjan and others discussed RelMeAuth at the microformats dinner in Mountain View and afterwards Jeff and Paul implemented RelMeAuth in an open source Python library at Hacker Dojo and discussed/tested it in IRC.
http://krijnhoetmer.nl/irc-logs/microformats/20100203
Less than 24 hours from concept to open source implementation.
articles posts comments
- 2010-03-03 Blaine Cook comment
- 2010-02-16 Tantek Çelik comment re: user interface
- 2010-02-06 Aaron Parecki wiki page
vendor specific sign in
The following vendor specific sign-in methods have succeeded and are in far greater use than previous efforts at user-centric URL identity (e.g. OpenID).
- Sign in with Twitter
- 2009-04-16 Introducing ‘Sign-in with Twitter’, OAuth-Style “Connect”
- Sign in with Twitter developer home page
- Sign in with Twitter Resources (more/latest buttons)
- Connect with Facebook
- ...
See articles comparing/contrasting them:
User-facing web-sign-in functionality (including "( Web sign-in )" button graphic) must be at least as simple, easy, and trustworthy as the these vendor specific sign in methods.