Single Sign On
Tom Scott
Public
Seen by 114
DIASPORA has a solid foundation, in many ways, but has lacked on adoption in a serious way. I think this may be due to a single root cause.
Our network does not work like other services such as Facebook or Twitter. Due to the centralization of those servers, it is trivial for external applications and services to make API calls to retrieve public data. You make one API call for authentication, then another to manipulate or retrieve data, and they're always in the same place, at the same domain, and return the same thing. Due to our design, DIASPORA can not work like this. At this time, we are imposing developers to implement a way to do this in their own apps. This is none of our apps are consistent, and IMO why app developers typically "give up" on us.
What we need is a single domain to relay some of this authentication and routing data from a central location to the pod that the user chooses. I want to be able to go to one place, enter in my username/password, and be redirected to my pod, already logged in. To keep true to our philosophy, this application should just relaying information back and forth without saving any authentication data or even tracking who visits the page. Basically it takes in a username/password, parses out the username for its pod address, and routes to the POST /users action on that pod. This logs the user in and redirects them to the pod's user dashboard, where they are free to use the DIASPORA network just as if they logged into their pod directly. Passwords would be typed in here, but never actually saved, instead they are encrypted and sent securely over the wire to the pod server (designated by the "@poddomain.com" part of the username string). As the SSO app would also be a Rails app, we'd expose the RESTful API so applications can use this server to log in as any user to any pod (provided the correct credentials are given).
Ideally, I'd like http://joindiaspora.com to not be a reference implementation, but where we store the SSO server. So to log in or to make RESTful API calls for authentication, one would simply have to visit joindiaspora.com. This would also encourage community pod adoption and perhaps question whether we need the main reference pod at all. It was always my understanding that the eventual goal of the project was to have the community sustain it, leaving the reference implementation would no longer necessary.
Is this even possible?
Sean McArthur Sat 5 Jan 2013 12:23AM
@tomscott I don't understand your question clearly. They need to login each time the session says it's too old. That's up to each website.
Are you hoping to use Persona to log into your own Diaspora account, or to use your Diaspora identity as the thing you log in with everywhere else on the Internet?
From the conversations I've seen regarding Tent.io, their goal was to have your Tent (/Diaspora, assuming you guys build on top of each other) identity be the way you log into other websites. So, when The Verge asks you to login, the Persona dialog asks for your identity, and you enter/select your Diaspora email, and your Diaspora server tells The Verge "yes, this is Tom, and here's proof."
Tom Scott · Fri 4 Jan 2013 3:37PM
@flaburgan I'm just saying the current system requires passwords. not like we can't change that, but perhaps it's a big pain in the ass? I actually don't know for certain.
@seanmcarthur First of all, thanks for joining us on Loomio! Second, thank you for making Persona because it's a REALLY cool idea. Glad to know your native libraries are under way, and in the meantime we can leverage a UIWebView to handle oauth-style authentication with the app(s). Looking more into Persona, it seems we can use this under the right circumstances. Do people need to "log in" every time they open the DIASPORA app? So in other words, is it okay for apps to store a single email so people can just open the app and log in?
Other than that, it seems like Persona functions very similar to OAuth, except it's decentralized. Awesome! :)