Authorization via Habr
I'd like to Habr had the ability to authorize users on third-party services.
/ > the
First, abrowser will receive an additional service authorization, the worse they do not become, on the contrary — more freedom of choice.
Secondly, some abrowser design services, the target audience which is Habr, for example, the notorious image hosting habreffect.ru, various monitors of karma rating, etc. Needless to say, that for such services arises hebrewchristian.
Thirdly, with this authorization, the developer can make restrictions, such as not to allow users with karma < -100, which is sometimes meaningful.
the
The scheme described below is very simple and familiar to anyone who has ever integrated your website with services like Loginzy.
1) a third-Party website sends a request to a specific API-url Habra, passing the username of abrowser-owner of the site (the public key), url forwarding, and the signature generated on the basis of abrowser password (private key). Thus, to send such a request may be the only one who knows login and the password of abrowser.
2) the response will contain a token. It has a short life span (5-10 minutes), they can use 1 time. Based on the token link is generated for authorization.
3) a Visitor clicks a link on a special page Habra, where enters his username and password then it redirect to the address which was specified during initialization of the token. At the same site in the query string are passed capalogin the visitor and the signature received the above (signed by the owner password of the application). If the signature is correct, then the query is correct and can authenticate the visitor based on their login. Here you can request a karma and a rating of the newly made user and execute some conditions.
Would you like to login Habr?
UPD
the
Since I was on Habre, I have automatic public key (username) and secret key (password). Suppose they are respectively equal to "igrishaev" and "pass123". Now I want to make the entrance to your service through Habr. The procedure is as follows:
1) Send a request to habrahabr.ru/api/auth/get_token, give the parameters:
login=igrishaev
url=http://mysite.EN/habra_auth
signature=md5(login + url + md5 ('pass123'))
2) In response to receiving the token, for example, "334-dfas9fdas30sdf". The authorization link on habré will habrahabr.ru/api/auth?token=334-dfas9fdas30sdf
3) Clicking on this link, the visitor sumkin enters their username and password. Note that he puts them on the page of Habra, therefore I in no way can not get.
4) Habr sumkin redirects the user to my website at the link mysite.ru/habra_auth, in the query string parameters:
login=sumkin
name=Fedor
lastname=Sumkin
signature=md5(login + md5 ('pass123'))
5) I check the validity of the signatures (it was my password), and if everything is in order, authenticiy user as sumkin.
All.
Article based on information from habrahabr.ru
/ > the
Why?
First, abrowser will receive an additional service authorization, the worse they do not become, on the contrary — more freedom of choice.
Secondly, some abrowser design services, the target audience which is Habr, for example, the notorious image hosting habreffect.ru, various monitors of karma rating, etc. Needless to say, that for such services arises hebrewchristian.
Thirdly, with this authorization, the developer can make restrictions, such as not to allow users with karma < -100, which is sometimes meaningful.
the
How?
The scheme described below is very simple and familiar to anyone who has ever integrated your website with services like Loginzy.
1) a third-Party website sends a request to a specific API-url Habra, passing the username of abrowser-owner of the site (the public key), url forwarding, and the signature generated on the basis of abrowser password (private key). Thus, to send such a request may be the only one who knows login and the password of abrowser.
2) the response will contain a token. It has a short life span (5-10 minutes), they can use 1 time. Based on the token link is generated for authorization.
3) a Visitor clicks a link on a special page Habra, where enters his username and password then it redirect to the address which was specified during initialization of the token. At the same site in the query string are passed capalogin the visitor and the signature received the above (signed by the owner password of the application). If the signature is correct, then the query is correct and can authenticate the visitor based on their login. Here you can request a karma and a rating of the newly made user and execute some conditions.
Would you like to login Habr?
UPD
the
Example
Since I was on Habre, I have automatic public key (username) and secret key (password). Suppose they are respectively equal to "igrishaev" and "pass123". Now I want to make the entrance to your service through Habr. The procedure is as follows:
1) Send a request to habrahabr.ru/api/auth/get_token, give the parameters:
login=igrishaev
url=http://mysite.EN/habra_auth
signature=md5(login + url + md5 ('pass123'))
2) In response to receiving the token, for example, "334-dfas9fdas30sdf". The authorization link on habré will habrahabr.ru/api/auth?token=334-dfas9fdas30sdf
3) Clicking on this link, the visitor sumkin enters their username and password. Note that he puts them on the page of Habra, therefore I in no way can not get.
4) Habr sumkin redirects the user to my website at the link mysite.ru/habra_auth, in the query string parameters:
login=sumkin
name=Fedor
lastname=Sumkin
signature=md5(login + md5 ('pass123'))
5) I check the validity of the signatures (it was my password), and if everything is in order, authenticiy user as sumkin.
All.
Комментарии
Отправить комментарий