Author Topic: Simple Machines BitShares X Login Plugin  (Read 3924 times)

0 Members and 1 Guest are viewing this topic.

Offline bytemaster

The users shouldn't need to write it down because if they're authenticated with their BTSX Id they don't need to use the password because they're already authenticated.

This would be operating on the assumption they will always login from bitsharesX client or have it available if they are unauthenticated.  I am not sure I want that constraint.

That assumption is valid if they log in from BTSX... they can change their password to something they know if they want.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline Riverhead

The users shouldn't need to write it down because if they're authenticated with their BTSX Id they don't need to use the password because they're already authenticated.

This would be operating on the assumption they will always login from bitsharesX client or have it available if they are unauthenticated.  I am not sure I want that constraint.
Good points. I guess when I think of single sign on I think of logging into one application and then everything is pre-authenticated. However I can understand why that, as an only option, would be very undesirable in a web site people could log in to from anywhere.

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile
The users shouldn't need to write it down because if they're authenticated with their BTSX Id they don't need to use the password because they're already authenticated.

This would be operating on the assumption they will always login from bitsharesX client or have it available if they are unauthenticated.  I am not sure I want that constraint.
I speak for myself and only myself.

Offline bytemaster

@xeroc I have looked a little into openid but I don't really know how it is implemented.  It sounds like a good base.

BM - I considered putting in a default random password.  I am a little hesitant to create passwords as I'm not a cryptographer and would be worried about entropy source.  I also would be worried about users not writing it down etc. 

I think the best option is to print the password on the page, tell the user to write it down if they choose and then set the password field with it.  This would have to be more secure than coding around blank password fields, even if the entropy level isn't as high as a cryptographer might wish.

Just use /dev/random or ask PHP to generate a private key and use the public key as the password.  That will give you a secure source of random data.  Alternatively, you can have a blank default password and not allow login to any account with a blank password.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline Riverhead

The users shouldn't need to write it down because if they're authenticated with their BTSX Id they don't need to use the password because they're already authenticated.

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile
@xeroc I have looked a little into openid but I don't really know how it is implemented.  It sounds like a good base.

BM - I considered putting in a default random password.  I am a little hesitant to create passwords as I'm not a cryptographer and would be worried about entropy source.  I also would be worried about users not writing it down etc. 

I think the best option is to print the password on the page, tell the user to write it down if they choose and then set the password field with it.  This would have to be more secure than coding around blank password fields, even if the entropy level isn't as high as a cryptographer might wish.
I speak for myself and only myself.

Offline bytemaster

Set a default password for accounts created entirely from btsx.  The goal is single sign-on into eliminate the need for extra forms.   If the user would like to login without btsx X then they can set a password after their account has been created.   So by default you don't create accounts without passwords you just create accounts with really difficult random passwords that must be changed if user would like to login Without Btsx.


Sent from my iPhone using Tapatalk
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Ist your proposal pretty much the same how platforms treat openid?

its like a common account with an openid tight to it ...

I like the idea .. pretty simple and well established with openid already
« Last Edit: August 01, 2014, 11:18:10 am by xeroc »

Offline Riverhead

Eating our own dog food.  I love it.  +5%

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile
SMF has a ton of support for bridges etc on their support site but I don't think they'll fit so well.  The main problem is people already have accounts and allowing people to login to existing accounts can't happen without a setting change..  I am also not sure this scheme will readily fit within the confines of a normal plugin.  I will have to make a custom query for the alternative login.

My solution - Add a new text field to each user labelled something like "Bitshares X allowed login name"

This will be blank for existing accounts by default meaning someone can not use Bitshares X to login to that account.  Once the user changes this to a registered name  then the owner of that registered name will be able to login to SMF.

Likewise, if someone tries to login via Bitshares X to a non-existant name then they will be sent to the new user page.  The idea is to force them to create an account with some sort of password so they can login later.  The other option is to skip the new user creation page, but then they'll never be able to login outside of Bitshares X without creating a password.  (And I am not sure how much code is required to have accounts with no passwords.)

So this allows existing accounts to start using BitShares X and BitShares X users to create accounts.

The other main option is to just have a "allow BitShares X login" checkbox, but it isn't near as flexible.

Thoughts on this ?  Concerns?  I'm not sure if anyone will read it, but hopefully Toast/Bytemaster/the XTS authenticator guy might. 
« Last Edit: August 01, 2014, 10:35:38 am by gamey »
I speak for myself and only myself.

Offline cass

  • Hero Member
  • *****
  • Posts: 4311
  • /(┬.┬)\
    • View Profile
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline bytemaster


I'll do this.  If someone else has a burning desire though, please tell me so I don't waste my time.

+1
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile

I'll do this.  If someone else has a burning desire though, please tell me so I don't waste my time.
I speak for myself and only myself.

Offline bytemaster

I would like to see a plugin for Simple Machines that allows users to sign up and login to any Simple Machines forum using our ID system.

https://github.com/BitShares/bitshares_toolkit/wiki/BitShares-XT-Login
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.