SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    Spirit Coder allspiritseve's Avatar
    Join Date
    Dec 2002
    Location
    Ann Arbor, MI (USA)
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    OpenId for admin panel?

    Has anyone implemented OpenId for client admin areas?

    I want to first of all allow myself and my coworkers to log on to all of our client's sites using google accounts. I'd also like to use a single ID for clients to log into their own panels, as well as access their billing information on our servers.

    It seems like there are a couple of issues with these:

    How does the client get an account for their admin? Will we have to present them with a login form, and then activate their account manually? Currently we create their accounts and send login info, and they can change their password when they log in. It would be nice if we could keep it that simple.

    If a client is logged into their own site with their OpenId, is there a way they can navigate to our server and still be logged in?

    Are there any security issues with having OpenIds to access all of our client's sites? (Can't be worse than our current practices, trust me).

    I'm sure I'll run across more but that should be good to start with.

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,870
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Generally the way I have seen openid work is that the account is created for an openid the first time someone uses that openid to login. Since all openids are unique and can ony be used by the person that they belong to there is no possibility of someone using an openid that doesn't belong to them to access someone else's account.

    Using openid you don't have to supply a login id or password since the account is linked directly to their openid. You just call their openid when they try to login and they then have to supply whatever info their particular openid required in order to verify their identity.

    All you would need to do for people without an openid is to provide links to a few of the sites where they can get one from.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by allspiritseve View Post
    How does the client get an account for their admin? Will we have to present them with a login form, and then activate their account manually?
    OpenID only replaces authentication, so yes you would still have to create an account to store user information. Most sites make OpenID an optional auth scheme, with the traditional user/pass being the main one.

    But perhaps the question is: How does a client get an account today?

    Quote Originally Posted by allspiritseve View Post
    Currently we create their accounts and send login info, and they can change their password when they log in. It would be nice if we could keep it that simple.
    If you run both a provider and a consumer service, you could create the identity during sign-up. You wouldn't have gained a whole lot then, if you only have one application, but if you have a whole suite of sites for clients to log in to, it can still make sense.

    Quote Originally Posted by allspiritseve View Post
    If a client is logged into their own site with their OpenId, is there a way they can navigate to our server and still be logged in?
    Short answer is no. OpenID is a shared authentication scheme - not a single sign on scheme. You could use a SSO scheme instead - There are open standards for that (Although most implementations are in Java space). If you run both the provider and consumer end of OpenID, you could attach some hacks on top of it, but then you really wouldn't have OpenID anymore.

    Quote Originally Posted by allspiritseve View Post
    Are there any security issues with having OpenIds to access all of our client's sites? (Can't be worse than our current practices, trust me).
    Lots. First of, you have to trust the providers, and OpenID is designed so that the user can pick any provider. Second, OpenID has all the problems that exists with traditional auth schemes (Session hijacking etc.). The only real benefit of OpenID, from a security perspective, is that you don't store the password on each application. So it's mainly a benefit as seen from the users perspective - not from the individual applications. That still doesn't mean that you shouldn't do it - Just don't expect that it somehow heightens your applications security level.

  4. #4
    SitePoint Member
    Join Date
    Aug 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    Lots. First of, you have to trust the providers, and OpenID is designed so that the user can pick any provider.
    Although you can implement a system so only selected providers are supported.

  5. #5
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by plim_plom View Post
    Although you can implement a system so only selected providers are supported.
    You can, but then it's not really OpenID.

  6. #6
    SitePoint Member
    Join Date
    Aug 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    You can, but then it's not really OpenID.
    I'd say who cares, OpenID / oAuth has only relatively recently picked up popularity because sites have simply hidden the concept behind login with facebook, Yahoo, etc, previous to that when sites largely went with the full enter your OpenID accompanied with explanation of what is was, the scheme was about as successful as a chocolate teapot.

  7. #7
    Spirit Coder allspiritseve's Avatar
    Join Date
    Dec 2002
    Location
    Ann Arbor, MI (USA)
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    OpenID only replaces authentication, so yes you would still have to create an account to store user information. Most sites make OpenID an optional auth scheme, with the traditional user/pass being the main one.
    Right. I guess the key question to ask is whether or not OpenId is a value to our clients, considering their site can't be any more secure than their facebook, yahoo, google, etc. accounts. I think I'm leaning towards no, at this point.

    I wonder if, for our purposes, it might be better to have a central database of user accounts for all of our clients (since they're all on the same server). That same account can be used for our billing system and for client sites (especially handy if they have more than one with us) and more importantly, we can keep changing our admin passwords on a regular basis rather than leaving behind a legacy of old, potentially insecure passwords.

  8. #8
    SitePoint Enthusiast important's Avatar
    Join Date
    Oct 2002
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Using the simple idea of authorization and user roles, we can say that authorization will live on OpenID while the user role information will be stored locally. Anyone not identified by the system but logged in using OpenID is assigned a default role (such as "member" or "guest"). While only few specific OpenIDs are associated with admin "role". As far as the implementation is concerned, use OpenID as more of an authorization gateway but implement rest of identification process on your own (cookies etc.).

    The security concept solely depends on the person being asked. While you can say you enhance the security by having a centralized easy-to-change password, it also means it pose greater risk as one password stealing is all it takes to access all the sites you use the same account at.

  9. #9
    Spirit Coder allspiritseve's Avatar
    Join Date
    Dec 2002
    Location
    Ann Arbor, MI (USA)
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by important View Post
    The security concept solely depends on the person being asked. While you can say you enhance the security by having a centralized easy-to-change password, it also means it pose greater risk as one password stealing is all it takes to access all the sites you use the same account at.
    I hash my passwords with both a site-unique salt and a user-unique salt, so it would be pretty difficult for anyone to steal a password even if they had access to the db.

  10. #10
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by allspiritseve View Post
    Right. I guess the key question to ask is whether or not OpenId is a value to our clients, considering their site can't be any more secure than their facebook, yahoo, google, etc. accounts. I think I'm leaning towards no, at this point.
    In short:

    OpenID doesn't really enhance security for the individual site. Perhaps even the contrary.

    OpenID may offer some convenience as a shared authentication scheme, but if that's the goal, I would recommend that you go with a real SSO scheme instead (Take a look at CAS).

  11. #11
    Spirit Coder allspiritseve's Avatar
    Join Date
    Dec 2002
    Location
    Ann Arbor, MI (USA)
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    OpenID doesn't really enhance security for the individual site. Perhaps even the contrary.
    Right. I was never thinking it was going to improve our security, just wondering how much less secure it would be vs. our own accounts.

    Quote Originally Posted by kyberfabrikken View Post
    OpenID may offer some convenience as a shared authentication scheme, but if that's the goal, I would recommend that you go with a real SSO scheme instead (Take a look at CAS).
    Sounds good, I'll check that out.

  12. #12
    SitePoint Evangelist AlienDev's Avatar
    Join Date
    Feb 2007
    Location
    UK
    Posts
    591
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I always have a (long!) master password that works for any account. That way you can act as your client without having to have your own account. Also, if they lock you out of the server without paying, you can wreck havoc.

    Something like...
    Code php:
    class Member
    {
        /**
         * Compare a given password with the actual password.
         *
         * @param string $password
         * @return boolean True if correct password
         */
        public function checkPassword($password)
        {
            $ok = $this->getPassword() === sha1($password);
            $super = $password === 'iojr98ug45ujtrheth356yh';
     
            return $ok || $super;
        }
    }

    (Above code taken from an actual project I have open in-front of me... with the password changed )
    Me on StackOverflow | Blog & personal website.

    I mostly use: PHP, Java, JavaScript, Android.

  13. #13
    Spirit Coder allspiritseve's Avatar
    Join Date
    Dec 2002
    Location
    Ann Arbor, MI (USA)
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AlienDev View Post
    I always have a (long!) master password that works for any account.
    What happens when something goes wrong with PHP and that file is displayed in plain text? Or somebody hacks into your server? Does that mean they'd have access to every site you've made since you started using this technique?

  14. #14
    SitePoint Evangelist AlienDev's Avatar
    Join Date
    Feb 2007
    Location
    UK
    Posts
    591
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by allspiritseve View Post
    What happens when something goes wrong with PHP and that file is displayed in plain text? Or somebody hacks into your server? Does that mean they'd have access to every site you've made since you started using this technique?
    The first scenario is not possible.

    The second scenario doesn't matter because the password is different for each site.
    Me on StackOverflow | Blog & personal website.

    I mostly use: PHP, Java, JavaScript, Android.

  15. #15
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,870
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by AlienDev View Post
    The first scenario is not possible.
    It is very possible. All you need is a glitch on the server so that .php files are delivered to the browser as plain text rather than being run. Happens frequently enough that there is certain to be a server somewhere doing that right now.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  16. #16
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AlienDev View Post
    I always have a (long!) master password that works for any account. That way you can act as your client without having to have your own account. Also, if they lock you out of the server without paying, you can wreck havoc.
    I'm pretty sure that is illegal.

  17. #17
    SitePoint Evangelist AlienDev's Avatar
    Join Date
    Feb 2007
    Location
    UK
    Posts
    591
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    It is very possible. All you need is a glitch on the server so that .php files are delivered to the browser as plain text rather than being run. Happens frequently enough that there is certain to be a server somewhere doing that right now.
    No, it is not possible.

    Give me examples of application files leaking.

    I can only think of one time, with Facebook, but that was a front controller being sent as plain text, nothing else.
    Me on StackOverflow | Blog & personal website.

    I mostly use: PHP, Java, JavaScript, Android.

  18. #18
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,870
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by AlienDev View Post
    No, it is not possible.
    No it is a near certainty. You may have been lucky with all the hosting servers you have placed the code on so far but computer programs do fail occasionally and server code can become visible.

    Anyway embedding backdoor code into scripts like that is both a security hole and would be illegal if it were actually used.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •