Loomio
Thu 13 Dec 2012 6:31PM

Single Sign On

TS Tom Scott Public Seen by 114

DIASPORA has a solid foundation, in many ways, but has lacked on adoption in a serious way. I think this may be due to a single root cause.

Our network does not work like other services such as Facebook or Twitter. Due to the centralization of those servers, it is trivial for external applications and services to make API calls to retrieve public data. You make one API call for authentication, then another to manipulate or retrieve data, and they're always in the same place, at the same domain, and return the same thing. Due to our design, DIASPORA can not work like this. At this time, we are imposing developers to implement a way to do this in their own apps. This is none of our apps are consistent, and IMO why app developers typically "give up" on us.

What we need is a single domain to relay some of this authentication and routing data from a central location to the pod that the user chooses. I want to be able to go to one place, enter in my username/password, and be redirected to my pod, already logged in. To keep true to our philosophy, this application should just relaying information back and forth without saving any authentication data or even tracking who visits the page. Basically it takes in a username/password, parses out the username for its pod address, and routes to the POST /users action on that pod. This logs the user in and redirects them to the pod's user dashboard, where they are free to use the DIASPORA network just as if they logged into their pod directly. Passwords would be typed in here, but never actually saved, instead they are encrypted and sent securely over the wire to the pod server (designated by the "@poddomain.com" part of the username string). As the SSO app would also be a Rails app, we'd expose the RESTful API so applications can use this server to log in as any user to any pod (provided the correct credentials are given).

Ideally, I'd like http://joindiaspora.com to not be a reference implementation, but where we store the SSO server. So to log in or to make RESTful API calls for authentication, one would simply have to visit joindiaspora.com. This would also encourage community pod adoption and perhaps question whether we need the main reference pod at all. It was always my understanding that the eventual goal of the project was to have the community sustain it, leaving the reference implementation would no longer necessary.

Is this even possible?

TM

Taylor McLeod Thu 13 Dec 2012 6:43PM

I completely agree about everything you said. If Diaspora is to flourish, it must have single sign on capability. I also envision Diaspora becoming "the" way to sign in to accounts on other websites, much like Facebook is today. I think the centralized domain would work only if Diaspora builds itself as a super legitimate and non-evil Non-Profit internet service taking many cues from The Wikimedia foundation.

F

Flaburgan Thu 13 Dec 2012 6:46PM

This is exactly why I want to implement Persona on diaspora. See http://www.loomio.org/discussions/705

If your pod becomes your provider, it will be possible to be logged in every pods. So the other pods can redirect you to yours.

I don't have time to explain right now, but you can read https://developer.mozilla.org/en-US/docs/Persona and if you have time to work on this with me, it will be a real pleasure.

This is the solution you are looking for.

EG

Erwan Guyader Thu 13 Dec 2012 6:53PM

I was about to say the same thing as Flaburgan.

Each pod should be an Identity Provider using the browserID protocol and then applications could provide a Signing in using Persona with possibility to fetch data from Diaspora if the user provides a Diaspora account as her identity.

JH

Jonne Haß Thu 13 Dec 2012 11:08PM

I said it already and I'll say it again: Decentralized SSO is a solved problem: http://en.wikipedia.org/wiki/OpenID

TS

Tom Scott Mon 17 Dec 2012 5:55PM

@jonnehaß, I'm all for using an open standard, in fact I'd prefer we use the tried-and-true OpenID if we can use it. Persona is another good suggestion but if OpenID fits our needs, I'd go with that since it's more "battle-tested" from being around so long and having a presence in the wild.

One concern I have with this SSO method is privacy. I don't want a central server knowing about what authentication data passes through it. Do either of these services allow us to simply pass the authentication data onward to whatever pod needs to receive it? This is somewhat of a dealbreaker, in order to maintain our privacy policy we need to ensure that the pods, and only the pods, receive authentication data, that way if this server is somehow compromised it won't be endemic to our entire network.

So, I take it we're favoring this SSO concept, but implemented with 1 of 2 solutions: Mozilla Persona or OpenID. Let's hear the pros and cons of each, by those who have researched them.

DS

Daniel Siders Mon 17 Dec 2012 6:36PM

One of the Tent architects here-- wanted to mention this proposal: http://www.loomio.org/discussions/1522. If Diaspora adopted Tent as a backend, (decentralized) single sign-in is part of the package. We're also working with the Mozilla Persona team to make sure Tent takes advantage of sites that offer Person signin.

F

Flaburgan Mon 17 Dec 2012 10:30PM

Do either of these services allow us to simply pass the authentication data onward to whatever pod needs to receive it?

By turning the pods in a Persona provider, we won't depend of anything.

TM

Taylor McLeod Wed 19 Dec 2012 3:49AM

I don't know to much about tent but now it seems the complexity of this conversation has just jumped. Assuming both Tent and Persona are real options that maintain the privacy policy, then the outcome of the decision would affect whether or not we want to support a major overhaul of the backend. Keep in mind that using Tent was voted down on that discussion link. I feel like we need a onetime big and structured (yet open) visioning process that sets some major priorities for all to see. Sure would make a ton of decisions easier.

TS

Tom Scott Wed 26 Dec 2012 4:35PM

@taylormcleod sorry about that. Christmas and my aunt passing away helped me to ignore this Loomio for a minute.

@danielsiders don't get me wrong, I've been hacking on Tent for days now. :) But it doesn't really solve our problem. As I said in that Loomio, I'd like to talk with you guys on diaspora-dev or something so we can actually bang out the specifics of a possible partnership between the DIASPORA project and Tent, because ever since I first learned of tent.io I've wanted to work with you guys, since I feel we really have some of the same goals. In many ways, I feel that if Tent and DIASPORA joined forces, it would actually get a lot of non-hackers into Tent, because simply by joining a DIASPORA Pod they now have access to the whole Tent network.

Aaaaanyway, I don't think Tent is an SSO solution because you still need to know which pod to talk to. This is sort-of on a larger scale, you go to logintodiaspora.com and it REDIRECTS you to your home pod, wherever that may be. It's for APIs and possibly OAuth-like authentication techniques to easily access the network without having to know what pod you're from all the time. In my opinion, apps and clients of DIASPORA shouldn't need to know that i'm from s.psychedeli.ca but I'm talking to you on diasp.eu...

TS

Tom Scott Wed 26 Dec 2012 4:36PM

@flaburgan that didn't answer my question at all.

Load More