User authentication approaches

Michael Lazar lazar.michael22 at gmail.com
Thu Nov 19 19:04:50 GMT 2020

Previous message (by thread): User authentication approaches
Next message (by thread): [ANN] dmerej.info capsule
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 19, 2020 at 1:11 PM <colecmac at protonmail.com> wrote:
>
> > The only examples I konow of is gemini://astrobotany.mozz.us/ which uses
> > a user certificate for authentication and it works pretty nicely.
>
> Astrobotany also supports setting a password to change certs if needed, which
> I think is pretty relevant here. Not really sure how it works though, maybe
> Mozz can chime in.

Here's how astrobotany is currently doing authentication.

You create a self-signed certificate and make a request to astrobotany. The
server detects that the cert is unrecognized, and asks you if you are a new
user or an existing user.

If you are a new user, you are prompted to enter a unique username. This name
used to be pulled directly from the subject CN of the certificate, but that
lead to some unfortunate UX issues with duplicate users so I changed it to be
separate instead. At this point, your certificate is registered and you can
access the application. Any future requests to the server with that certificate
will automatically log you in. Everything past this point is strictly optional.

Once logged in, you can open the astrobotany settings page where you can define
a secret password. The password allows you to attach additional certificates to
the same user account.

Going back to step one, if you are an existing user and you provide an
unrecognized certificate, the server will prompt you to enter your username and
password from above. If verified, the new cert will be attached to your account.

You can repeat this process as many times as you want to add new certificates.
All of the certificates can be viewed and deleted from the settings inside of
the application (with the exception that the currently active cert can't be
deleted, to prevent lockout).

My personal astrobotany user currently has two certificates; one on my laptop
that I use with av-98 and one on my phone that I use with Petr Vernigorov's iOS
gemini client (which is an awesome client that doesn't get enough praise). I
like this method because otherwise there would be no way to copy an existing
certificate into the iOS client.

There was one time when somebody lost their astrobotany cert so they sent me an
email. I was able to reset their password for them so they could generate and
upload a new certificate. This was very straightforward and a lot easier than
it would have been to pass certificates back and forth via email.

- Michael

Previous message (by thread): User authentication approaches
Next message (by thread): [ANN] dmerej.info capsule
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list