using browserid as a server side login mechanism

im hitting a conceptual roadblock in the architecture so far (or maybe misu=
nderstanding the scope):

given the http://myfavoritebeer.org example (or any other pure client side =
app), once browserid returns the verification object i'm unsure how to prov=
e to the current website that I am a user that it knows about and can trust=
 because there doesn't seem to be any token or secret that I can take from =
the webfinger verification token and hand to the website to prove my identi=
ty.

it seems like browserid can prove to my browser that I am a real user (whic=
h makes sense given the name browserid), but what I am wondering if there i=
s a model in which I can use browserid to also prove my identity to the ser=
ver, such as a webhook style callback where upon verification of my asserti=
on the verification server hits http://myfavoritebeer.org with a session to=
ken or something

cheers,

max
0
Max
7/15/2011 4:41:35 AM
mozilla.dev.identity 1643 articles. 4 followers. Post Follow

2 Replies
268 Views

Similar Articles

[PageSpeed] 57

Hi Max!

Unfortunately, that example site is incomplete.  It should *not* be =
doing the verification on the client.  Client code should send the =
verification up to your server, and there is where you'd validate it =
(either by using the browserid verification service, or by doing the =
verification yourself).

Check out the "Assertion Verification" flow described here: =
http://lloyd.io/how-browserid-works

Specifically:

> 1. The RP (securely) transmits the assertion from the client up to her =
servers.

Meanwhile, we'll fix the demonstration site so that it does the =
verification on the server instead of the client.

very best,
lloyd

On Jul 14, 2011, at 9:41 PM, Max Ogden wrote:

> im hitting a conceptual roadblock in the architecture so far (or maybe =
misunderstanding the scope):
>=20
> given the http://myfavoritebeer.org example (or any other pure client =
side app), once browserid returns the verification object i'm unsure how =
to prove to the current website that I am a user that it knows about and =
can trust because there doesn't seem to be any token or secret that I =
can take from the webfinger verification token and hand to the website =
to prove my identity.
>=20
> it seems like browserid can prove to my browser that I am a real user =
(which makes sense given the name browserid), but what I am wondering if =
there is a model in which I can use browserid to also prove my identity =
to the server, such as a webhook style callback where upon verification =
of my assertion the verification server hits http://myfavoritebeer.org =
with a session token or something
>=20
> cheers,
>=20
> max
> _______________________________________________
> dev-identity mailing list
> dev-identity@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

0
Lloyd
7/15/2011 4:56:04 AM
gotcha! I wasn't sure if you had considered a security model where myfavoritebeer.org trusted browserid.org by proxy through the client side javascript (which makes little sense now that I type it out)

max
0
Max
7/15/2011 5:42:40 AM
Reply:

Similar Artilces:

Displaying a java popup using server side VB code and returning true or false to server side
I've just spent more than a day searching these forums for the answer to this, and have found the question asked more than once, but never actually answered. I've got a form allowing a user to alter some default values for a system. When they submit changes, a java popup needs to display asking whether they are sure they want to continue... and if they click yes than the code continues. This bit I can do easily enough by adding an attribute to a button. But the next I've not been able to do, or find any way of doing in VB instead of C: Once they've clicked &q...

Setting the value of server side variable in javascript and wants to use that server side variable on page load.
Hi, I am trying to set the value of a server side variable in javascript and wants to use that variable on page load.  Here is my sample code. -------------------------- private string testVal = null;  private void registerScript(){ if (!this.Page.ClientScript.IsClientScriptBlockRegistered("RequestHeaderValidation")){ StringBuilder sb = new StringBuilder("" + Environment.NewLine);sb.Append(" var version = '2.0'; " + Environment.NewLine); sb.Append(" var isInstalled = Silverlight.isInstalled(version);" + Environment.NewLine)...

when to use client side / server side?
Hey, Please can someone tell me when do i need to use a client-side or a server-side? For instance, I have a dropdownlist and when the user choses one of the listitems then click on the button to submit changes,i need first to validate the new value chosen by the user by comparing it with the old value and then redirect the user to the next page if there are no errors or view an error on the other hand! so in this case what's more preferable to use a JScript (client side) or on the click event of the button pressed (server side)! waiting the reply................. thanx in adva...

clients cannot login to server using server name
We have a Netware 6.5 server now running SP3 that users on Windows 98 who are now running client 3.4c can't login to using the server name only. The problem first occured when the 6.5 server was on SP1 and most of the clients were running 3.32. Because of the older versions, we first tried upgrading both server and clients to the latest versions, but this did not help. We can login in to the server if we use the IP address in the server field of the client. However, if the server name is used, the client can not find the server and logs in to the 5.1 server at the same location....

Using server side global variable on client side
I have a function which retrieves certain values from ldap server. I have written server side code to get the data. Now I want to show the values on a html form. I tried to create client side variable within server side script and use it but when I start it says Undefined variable as_firstname, if I add <SCRIPT> as_firstname="test" </SCRIPT> after <!--SCRIPT> and --> tag before </HEAD> it displays the value. Can someone say what is wrong in this? My Code is <HTML> <HEAD> <!--SCRIPT import JavaWrapper.ssc; fun...

Server-side posting to another server using C#
Hi,I have a page that makes an AJAX call (GET method) in the background to a local ASP file which in turn calls a PHP page on another server. (I cannot do this directly with AJAX due to XSS issues). All I need to do is to pass the variables via POST or GET methods so I can log data and do not necessarily need to receive the response.  I previously had a Classic ASP page and tried to rewrite the code into ASP.NET 2.0 using C# (shown below):(as you can see I am also storing the variables as session variables) <%@ Page language="c#"%> <%@ Import Namespace="System.N...

Client side clock using server side controls
Is it possible to create a client side clock using a server side control (label or textbox) in C# without accessing JavaScript?  If so, how? In principal it is possible, it depends how often you need to reload this clock ... if every second than: 1. It is no sens to do I mean 2. You need than to make setTimeout client script, to refresh page every second With FastPage it seems more real task ... http://fastpage.more.at...

Calling a server side function from client side using the toolkit
Ok, I'm sure this is a really stupid question, but I'm willing to ask it anyway.  Let's say that I created a new extender called "My", so I now have three files files, MyExtender.cs, MyBehaviour.js, and MyDesigner.cs.  I want my control to be able to take some data on the client side and use it to retrieve some data on the server side, which AJAX is all about right? :) So for the sake of argument, let's say I want to enter an email address in a textbox, and then consult a database to return the user's password. So in my MyExtender.cs file, I create ...

Passing client side to server side using hidden field
 I have a hidden asp.net text box that is being updated on the client via javascript. I am trying to determine the best way to detect when that hidden field has changed and read the new value on the server. I would like to do this WITHOUT posting back. I have tried using the TextChanged event but that requires blur state to be changed before it gets fired. What would be the best way to do this? Thanks, Justin.  Can you use __doPostBack() to trigger a partial postback at the same time the hidden TextBox is updated, from JavaScript? Encosia - ASP.NET, AJAX, and more.Lates...

When To Use Client Side vs Server Side vs AJAX
Before AJAX, it was fairly clear to me where to draw the line between functionality best performed server-side vs client-side.  For example, database access and data processing is done on the server, and basic field validation and other UI stuff is done on the client.  But now with AJAX implemented through Atlas, the line is blured.  I know what can be done... but what is the optimal way to design a web application using Atlas (in terms of what functionality should be implemented server-side versus client-side versus Ajax)?  What is the prev...

login not working on remote server
Hi. I have a problem.    I have uploaded an asp.net 2.0 web project that uses asp.net membership/roles to my hosting service.  I had already on my local machine converted the sqlexpress security database to an sql2005 one and imported all these tables, scripts, etc to  my application database.  That database was also uploaded to the host.  So my one database has all my former sql Express roles/membership tables, sp’s, etc. and my application tables, etc.    My web program  correctly works when I do not use the login screens (if I use the gue...

call server side fuction by using cliend side function
hi all, I want to call server side function where if I check the condition on client side - if it is 'True' then only it should go to 'server' and call server function or else, if it is 'false' it should display some message under client side itself thanks in advance  Ponkarthik.P,Associate Software Engineer,Zillion Information Systems,Banglore. See this: http://blogs.visoftinc.com/archive/2008/09/07/ASP.NET-AJAX-Page-Methods.aspx In the first example you can just add a condition to either call the server or display something client-side. -DamienVisoft, In...

When to use client side varidation and server side varidation in .net?
In .net or classic web application we can varidate user data either on client isde or server side. How to select which side varidate to be used? Thanks! Generally, I use both client and server validation. I make sure the input is in the correct format and reasonably valid on the client, then I verify the data on the server. The extent of validation also depends on the type of data that I need to validate.Here are a few references:Validating ASP.NET Server ControlsIntroduction to Validating User Input in Web FormsClient-Side Validation for ASP.NET Server ControlsSecurity Checklist...

Firing both Client side event and server side event for server side button
I am having some difficulties getting this to work.. I have button_click (Asp.net) and ClientClick (Javascript).  Javascript is firing fine.  Server script is not. may be you have return return false in the in the javascript which is why its not firing server side event.You should add javascript evelt like thisbutton1.onclientclick = "functionname" Function should nopt return false. Vikram www.vikramlakhotia.comPlease mark the answer if it helped you...

Web resources about - using browserid as a server side login mechanism - mozilla.dev.identity

BrowserID: A Better Way to Sign In
BrowserID Home How it works Developers Sign In Sign Out New to BrowserID? Learn more Account Manager Your Email Addresses edit done Password ...

mozilla/browserid · GitHub
browserid - Persona is a secure, distributed, and easy to use identification system.

Explained: BrowserID: what it is and why you should care
BrowserID: what it is and why you should care BrowserID is a method, presented in July 2011, to use email addresses to prove an identity and ...

Mozilla unveils a new ‘Persona’ for its BrowserID easy login technology
Mozilla has announced Persona, a new public-facing name for its BrowserID technology, which aims to make it easier to sign in to websites and ...

Mozilla Corporation - LinkedIn
Welcome to the company profile of Mozilla Corporation on LinkedIn. Mozilla is a thriving community of intelligent, principled and passionate ...

BrowserID and me
... and User Data at Mozilla. This is an awesome and challenging responsibility, and I’ve been busy. When I took on this new responsibility, BrowserID ...

Black Duck Software Media Coverage
Read more about how Black Duck is helping organizations make better software faster and for less money by harnessing the power of open source ...

Google Paying Mozilla $900M in Search Deal: ATD
Google will pay Mozilla $300 million a year for the next three years in a search deal it renewed earlier this week. The deal will give Mozilla ...

Haskellers
Haskell Language English Japanese Spanish Hebrew Russian Ukrainian The meeting place for professional Haskell programmers Overview Groups Find ...

Identity at Mozilla
This past year we’ve been building the core of a Web-scale identity system. We’ve been calling it BrowserID: our name both for the technology1 ...

Resources last updated: 1/22/2016 12:21:24 PM