PushAll Auth - user authentication and feedback

What do we use email for? Most often, we use Email to register and log in to various sites, as well as to keep in touch with these sites - they can send you information about your account, notifications and so on. However, with such registration, you will give the sites your permanent Email, to which they will be able to write at any opportunity, and the reply may not always help. Your mailbox can go to third parties and get spam mailing lists. Antispam is good - but to a reasonable limit.

We have long been positioning our service as a replacement for Email. And now we come to the ability to log into third-party sites using PushAll ID.
Previously, we already had the opportunity to specify a Callback URL to get an ID, but it was impossible to re-enter.

From the main features of the entrance through PushAll can be identified:
')

1. Anonymity. If you log in to PushAll via Google account without Google+ or via Email, then the third-party site will only know your ID .
2. Controlled feedback. You can unsubscribe from the channel at any time, it will no longer be able to disturb you. As long as you are subscribed, you will receive instant notifications.

We implemented the “Open” button after the subscription and an alternative OAuth login model. Also at the end of the article we will tell about a new microservice that we made for Host-Tracker.com

Why do we need such authentication?

At least it is useful for microservices. Previously, it was necessary to do authorization through social networks, in order to somehow define the user to save the microservice settings. Now it turns out 2 in one - microservice can send notifications, and PushAll implements the definition of a user for storing settings or performing some other mechanics.

You can add this login method to other social networks and immediately get access to send notifications to all devices connected by the user. As an example, this can be a quick entry for writing comments on the site. Here you immediately give some kind of identification - that this particular user writes a comment, and you can also notify about the response to this comment. In addition, if this is your blog, you can send notifications about new articles (just warn the user about this in the channel description). Due to this, you can significantly increase your audience for push-notifications.

We adhere to the general idea of ​​isolation, when the user can immediately refuse to use your site. On the one hand, this is a minus - you will not be able to send a farewell letter to the user, but on the other hand, users will be more likely to log in, because they know that no personal data will be transmitted.

When logging in via PushAll, the user will already expect the mechanics that are familiar to him: he logged in, got access to the site and the features available only to registered users, closed the tab - I'm sure that a notification will come. Authorization of the user through PushAll assumes that you will send event notifications.

I personally, very often encountered cases when I was waiting for a letter from the site with notifications, but in fact they simply did not exist, because the site did not implement them. Or the cases when one notification message arrives in 10 minutes - and everything else is truncated. At the same time, some alert tape is often implemented inside the site to bypass these moments. When using authorization with push notifications, we take all these functions on ourselves.

How to use it?

You need to specify your Callback URL and choose whether you need to use an approach with getting an ID using a protocol similar to OAuth.



The whole mechanics of work is as follows:

1. You place the link of your channel on your site, for example pushall.ru/adminvk or a link with quick entry - pushall.ru/sign.php?subid=1586
2. The user goes through it and subscribes to the channel
3. In a new window, your site opens, to which data is transmitted for user authentication.

If a user is not yet registered in PushAll, he can log in through a Google account and then also go to your website. Or register by mail and go through the mail and also will end up on your website.

He can also click - Open at any time and a transition will be made using the authentication link.

There are 2 user verification approaches

Current approach without additional request

You will get GET parameters:

pushalluserid = ID & time = UNIXTIME & sign = SIGNATURE
pushalluserid - user ID

To verify the signature, use md5 (key.pushalluserid.time.ipAddress).

• ipAddress: IP user
• key - the key of your channel.
• time is the time since the beginning of the UNIX era.

You can determine the level of trust yourself by time - the more time passes the less trust

Of the shortcomings of this method, albeit unlikely, it is possible to fake this request. It may not even be generated by us, but somewhere on the side just knowing your key (if you suddenly indicated it somewhere)

New approach similar to OAuth

We tried to convey the "spirit of OAuth" leaving most of the field names and the answer unchanged. You will receive a code that will need to be sent via the API to get the user ID.
pushall.ru/api.php?type=oauth&code= CODE & client_id = Canal_ID & client_secret = Canal_KEY
You can also send the usual id and key - the script understands both.

JSON will be returned to you - {"access_token": "1"}
Where 1 is the user ID.

CODE lives only 5 minutes, you need to have time to transfer it during this time. It is a one-time - that is, to get it again ID will not work. For good, you should specify an intermediate page in the Callback URL, which will process the CODE and authenticate the user by the received ID, and then go to the site itself.

Using the link pushall.ru/sign.php?subid=ID_KANAL you can authenticate the user in one click, if he is already subscribed to your channel.

About authentication and authorization

In fact, through PushAll Auth you can authenticate the user to determine exactly who it is, but also using the ID as a token, you get the opportunity to perform requests to the API in the PushAll system, that is, you receive authorization in PushAll with a limited set of features - sending Push notifications.

What it looks like

There are no large examples of use yet, but we can cite as an example the microservice we recently created for Host-Tracker.com


Submits task name, status, downtime and downtime start time. When you click - throws on the page analytics task. It took less than 1 hour.


To use, you only need to subscribe to the channel, enter the URL and save.


Or, for example, you can take AdminVK there a similar scheme, the “Open” button goes to the microservice settings


These examples are made using the internal authorization PushAll, but nothing prevents the use of the transmitted data for authentication and operation of these services.
For example, there are third - party IT questionnaire and MySeries in both uses third-party authentication, and the services ultimately use only push notifications via PushAll.

Functional at the stage of testing and improvements, suggestions and feedback are welcome.