[geeklog-devtalk] Distributed Authentication - TypeKey

[mike at fuckingbrit.com]

Ok,

I've just now had a look at typekey.com's authentication service, with a
view
to integrating it during my distributed authentication work. (Thought about
re-naming to remote authentication, but after reading typekey, they use the
same term...).

Typekey works a bit differently to authenticating via the existing
remote API's I've looked at.

BloggerAPI allows me to fire an XML-RPC request to a remote service and get
the user authenticated from the server. As does LiveJournal API (and their
BloggerAPI support). Drupal's remote authentication also works the same way.

Indeed, the only way to authenticate remotely (damn, perhaps it should be
remote authentication, thoughts?) against these services is to send a
request from the server. I've looked at the CVS attic modules at drupal
(Where they have old authentication modules that no longer work with
their current hook system, their API/system is in such a flux state it must
be a nightmare to maintain a working site with drupal...) and they have
jabber authentication too, again, this is server to server.

Typekey is different, you can not authenticate server to server. It's much
more like Paypal or authorize.net services. You send some information in a
GET/POST to their server, they do some stuff, then send some information in
a
GET to your server for you to validate what happened on their server and
deal
with it.

So, for example, with authorize.net, I send a product id, prices return url
etc. They extract payment from the user and then send the user back to the
return url I specified and include transaction information and status keys
from them based on my key to reassure me that Joe Hacker did indeed pay a
million dollars for access to my special eel porn members only section.

Typekey works in the same way, and is pretty restrictive. It can't be
implemented via the same harness I've set up for my code. It can't be
implemented in the same way these other server-to-server authentication
methods work at all in fact. Because it's not server-to-server, it's
redirection based.

Typekey authentication isn't suited to hooking into the users.php file in
the
same place that the distributed/remote authentication fits. I hooked my code
into the bit of code that handles the form submit. What we need is a link to
"Login via TypeKey" on the login forms.

This is something I'm interested in working on, once the base core of the
remote authentication is done (since I started that first ;-)) There are
some
issues though:

1) typekey.com returns "CGI Parameters" to the return URL. I'm assuming they
   mean GET data and not POST data. Though it could be POST. The API doesn't
   make it clear, but the way the "examples" are written on page makes me
   think GET. Which might mean we can't provide any querystring information
   on the return url. Which means we can't use a special case in users.php
   as the return, unless we do an additional check for the precence of the
   typekey parameters in the default in the switch statement, which just
   feels "Unclean"
   
2) typekey enabled applications need a typekey token. The typekey token has
   to be tied to a url or "Set of urls". So, each geeklog webmaster would
   have to apply for their own typekey token and tie to to the urls of any
   sites they run.
   
3) Typekey.com hasn't launched yet. Well, it has. It's launched for MT 3.0
   only. Yes, they have published the information, but you can't apply for
   a token yet it seems.
   
I guess 2 isn't too big a deal, just a config:

$_CONF['enabletypekey'] = false; // set to true to enable support for
typekey
$_CONF['typekeytoken'] = ''; // You must register for your own key at
typekey.com

And do:

if ($_CONF['enabletypekey'] && !empty($_CONF('typekeytoken')))

But 3 is the killer. Shame really. Moveabletype is up to 3.15 and still no
third party use of typekey. And, I never realised MT was so expensive. I
thought it was GPL. Guess it sucks more than I thought ;-)

Mike

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .