2015-11-15 Idea for simplifying authentication

What I do want from a login-service: authenticated users should return a public+private-key. I do not care about the login-provider, as long as I get a users pecific public+private key, as that is the thing I need for distributed untrusted apps.

The idea is to implement this as a separate service, that decouples getting a keypair from login-method and login-provider.

The service itself has two functionalities:

  1. Provide public/private key for authenticated users.
  2. Provide meta-data given a public key, ie. – reply whether public-key actually represent a verified user

The API from the application point of view is simple:

  • Redirect the user to the login-service website, and after the login, the user will be redirected back to the app, an api-key in the hash, that can be used to retrieve the public/private-key.
  • REST endpoint for getting the public/private-key given an api-key
  • REST endpoint for getting meta data given the public key

The difficult part is the plethora of login-providers and methods. The nice thing here is that the application itself does not have to know anything about those. Possible methods of login includes:

  • Unverified username/password
  • Verified email
  • Verified sms
  • Central authority / oauth etc.: github, linkedin, twitter, facebook, google, …
  • Local site, ie.: tinkuy, local wordpress, …
  • Actual key, etc.