Authorization through Habr
I would like Habr to be able to authorize users on third-party services.
First, habrayusers will receive an additional authorization service, they will not get worse from it, on the contrary - additional freedom of choice.
Secondly, some habrayusers design services whose target audience is Habr, for example, the well-known hosting of habreffect.ru pictures, all kinds of karma and rating monitors, and so on. It goes without saying that for such services habraautorization arises.
')
Thirdly, with such an authorization, the developer may introduce restrictions, for example, not to allow users with a karma <-100, which, you see, sometimes makes sense.
The scheme described below is very trivial and familiar to all who have at least once integrated their website with services like Loginza.
1) The third-party site sends a request to a special API-URL Habr, passing the login of the habrayuser-owner of the site (public key), url of the redirect and signature created on the basis of the password of the habrayuzer (private key). Thus, only one who knows the username and password of a habrauser can send such a request.
2) The token is returned in response. It has a short lifespan (5-10 minutes), it can be used once. Based on the token, a link is created for authorization.
3) The visitor follows the link to a special Habr page, where he enters his login and password, after which he is redirected to the address that was specified during the initialization of the token. In this case, the site in the request string will be passed to the visitor’s habralog and the signature obtained by the method indicated above (signed by the application owner's password). If the signature is correct, then the request is correct and you can authorize the visitor based on his login. Here you can also request the karma and rating of the newly created user and fulfill some conditions.
Would you like to have authorization through Habr?
UPD
Since I am registered on Habré, I automatically have a public key (login) and a private key (password). Suppose that they are respectively equal to "igrishaev" and "pass123". Now I want to make an entry to my service through Habr. The procedure is as follows:
1) I am sending a request to habrahabr.ru/api/auth/get_token , passing the parameters:
login = igrishaev,
url = http: //mysite.ru/habra_auth
signature = md5 (login + url + md5 ("pass123"))
2) In response, I get a token, for example, “334-dfas9fdas30sdf”. The link for authorization on Habré will be habrahabr.ru/api/auth?token=334-dfas9fdas30sdf
3) By clicking on this link, the sumkin visitor enters his username and password. Pay attention that he enters them on the Habr page, therefore I cannot receive them in any way.
4) Habr redirects the sumkin user to my site using the link mysite.ru/habra_auth , in the query string parameters:
login = sumkin
name = Fedor
lastname = Sumkin
signature = md5 (login + md5 ("pass123"))
5) I check the validity of the signature (it is signed by my password), and if everything is in order, authenticate the user as sumkin.
Everything.
What for?
First, habrayusers will receive an additional authorization service, they will not get worse from it, on the contrary - additional freedom of choice.
Secondly, some habrayusers design services whose target audience is Habr, for example, the well-known hosting of habreffect.ru pictures, all kinds of karma and rating monitors, and so on. It goes without saying that for such services habraautorization arises.
')
Thirdly, with such an authorization, the developer may introduce restrictions, for example, not to allow users with a karma <-100, which, you see, sometimes makes sense.
How?
The scheme described below is very trivial and familiar to all who have at least once integrated their website with services like Loginza.
1) The third-party site sends a request to a special API-URL Habr, passing the login of the habrayuser-owner of the site (public key), url of the redirect and signature created on the basis of the password of the habrayuzer (private key). Thus, only one who knows the username and password of a habrauser can send such a request.
2) The token is returned in response. It has a short lifespan (5-10 minutes), it can be used once. Based on the token, a link is created for authorization.
3) The visitor follows the link to a special Habr page, where he enters his login and password, after which he is redirected to the address that was specified during the initialization of the token. In this case, the site in the request string will be passed to the visitor’s habralog and the signature obtained by the method indicated above (signed by the application owner's password). If the signature is correct, then the request is correct and you can authorize the visitor based on his login. Here you can also request the karma and rating of the newly created user and fulfill some conditions.
Would you like to have authorization through Habr?
UPD
Example
Since I am registered on Habré, I automatically have a public key (login) and a private key (password). Suppose that they are respectively equal to "igrishaev" and "pass123". Now I want to make an entry to my service through Habr. The procedure is as follows:
1) I am sending a request to habrahabr.ru/api/auth/get_token , passing the parameters:
login = igrishaev,
url = http: //mysite.ru/habra_auth
signature = md5 (login + url + md5 ("pass123"))
2) In response, I get a token, for example, “334-dfas9fdas30sdf”. The link for authorization on Habré will be habrahabr.ru/api/auth?token=334-dfas9fdas30sdf
3) By clicking on this link, the sumkin visitor enters his username and password. Pay attention that he enters them on the Habr page, therefore I cannot receive them in any way.
4) Habr redirects the sumkin user to my site using the link mysite.ru/habra_auth , in the query string parameters:
login = sumkin
name = Fedor
lastname = Sumkin
signature = md5 (login + md5 ("pass123"))
5) I check the validity of the signature (it is signed by my password), and if everything is in order, authenticate the user as sumkin.
Everything.
Source: https://habr.com/ru/post/127358/
All Articles