[aerogear-dev] aerogear-js Mozilla's Persona authentication adapter
Apostolos Emmanouilidis
aemmanou at redhat.com
Fri Jan 24 10:30:11 EST 2014
I have created a new branch which contains an example using the
navigator.id watch-request methods instead of the get method which is
used in the master branch and added session support to the server [1].
The AeroGear persona adapter API still needs many improvements and
redesign :)
What worries me about Mozilla's Persona sign-in system is that even if
you sign out with Persona, you should remember to explicitly sign out of
your personal email account as well.
Otherwise the next person who will sit over a shared computer, will be
able to to sign in to the Persona service without entering a password
[2]. I don't know if the lesson is, to never share your computer :)
[1]:
https://github.com/tolis-e/aerogear-js-persona-authentication-poc/tree/persona_watch-request
[2]: https://support.mozilla.org/el/kb/signing-out-using-persona
On Wed, 2014-01-22 at 08:32 -0500, Lucas Holmquist wrote:
> sounds cool, i'll take a look
> On Jan 22, 2014, at 4:41 AM, Apostolos Emmanouilidis <aemmanou at redhat.com> wrote:
>
> > hello,
> >
> > while looking at AGJS-122 and the possibility to add an authentication adapter which is based on Mozilla's Persona sign-in system, I was thinking of the following API:
> >
> > // Construct an AeroGear.Authentication.adapters.Persona
> > var persona = AeroGear.Auth({
> > name: 'persona',
> > type: 'Persona',
> > settings: {
> > verificationEndpoint: "http://127.0.0.1:3000/verify"
> > }
> > }).modules.persona;
> >
> > // use login to initiate the Mozilla's Persona authentication procedure. login enables the BrowserID and generates a signed assertion which contains the user's email address
> > // on assertion generation call the verification service
> > persona.login({
> > onAssertion: function ( assertion ) {
> for consistency, i would probably call this callback 'success'
> > // the verification API receives the assertion and the audience (our website URL) as parameters
> > // for security reasons there must be an intermediate service between the client and the verification API. the reason for which we want the intermediate service
> > // is that we want to ensure that the audience parameter is not hacked. I was thinking that it is better to avoid adding the persona.verify call inside our adapter
> > // since this way we would force the user to create the intermediate service according our implementation. That's why the following line exists:
> > persona.verify( { assertion: assertion }, { success: onSuccessVerification, error: onFailedVerification } );
> > },
> > error: onLoginError
> > });
> >
> > // logout
> > persona.logout( onLogout );
>
> i know for the REST adapter we also have an "enroll" method, not sure if that makes sense for this one. I haven't really looked at the Persona thing to much, just a shiny object that i saw and created a JIRA
>
> >
> > I have added a working example in: https://github.com/tolis-e/aerogear-js-persona-authentication-poc
> > and a first implementation sample: https://github.com/aerogear/aerogear-js/pull/100
> >
> > In order you'd like to try the working example on Android emulator, change lines:
> > https://github.com/tolis-e/aerogear-js-persona-authentication-poc/blob/master/static/persona-test.html#L16
> > and
> > https://github.com/tolis-e/aerogear-js-persona-authentication-poc/blob/master/server.js#L29
> > to use host 10.0.2.2
> > and open the http://10.0.2.2:3000/persona-test.html page on the Android browser
> >
> >
> > any thoughts, suggestions?
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140124/16ca2217/attachment-0001.html
More information about the aerogear-dev
mailing list