Currently working a potential partner whose tech barrier to entry is steep.
We want to incorporate a cross site sign-on, but SSO/Oauth may be a bit of a chunk to tackle.
Any suggestions on token passing/handshakes that are secure and lightweight? We dont need the seamless integration like Oauth, where they just hit one site, and are logged in, having a tokenized URL that takes them to that other site is fine
Kind of like in the old days where you’d hit the remote site with a key/value – they’d confirm you and return 1/0 … of course, this has potential man-in-the-middle attacks
any thoughts?
how about doing like what openid is doing?
first of all, service provider and identity provider share secret key (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). this is server to server communication.
then authentication, username password blah blah blah filling like usual
then identity provider sends http redirect (user can see what is happening) to the service providers with all the necessary information (user’s identity, timestamp, etc) + a message authentication code (composed of all those necessary information and secret key exchanged by the diffie-hellman exchange). see about message authentication code at http://en.wikipedia.org/wiki/Message_authentication_code
then the service provider verifies that mac code (since this service provider knows the secret key), to ensure this http request truly comes from the identity provider’s redirect