Securely verifying the viewer is who he claims to be - Build2024-03-28T22:51:09Zhttps://build.ning.com/forum/topics/securely-verifying-the-viewer-is-who-he-claims-to-be?commentId=6308082%3AComment%3A14806&feed=yes&xn_auth=noThank you Devin for your repl…tag:build.ning.com,2011-12-08:6308082:Comment:151012011-12-08T02:41:57.209ZMark Vhttps://build.ning.com/profile/MarkV
<p>Thank you Devin for your reply,</p>
<p>I think I understand now where ning is at and will need to work with what is there. </p>
<p>Thank you Devin for your reply,</p>
<p>I think I understand now where ning is at and will need to work with what is there. </p> There are two types of authen…tag:build.ning.com,2011-12-07:6308082:Comment:150022011-12-07T21:55:15.848ZDevinhttps://build.ning.com/profile/Devin
<p>There are two types of authentication: server-side and client-side.</p>
<ol>
<li>Server-side - Verification code is run on your server</li>
<li>Client-side - Verification is run in the users browser (ie. JavaScript)</li>
</ol>
<p>It seems that you are interested in a client-side solution using JavaScript. The Ning API as it is right now does have a safe means of doing client side authentication using pure JavaScript. Client-side authentication is more difficult because you need to worry…</p>
<p>There are two types of authentication: server-side and client-side.</p>
<ol>
<li>Server-side - Verification code is run on your server</li>
<li>Client-side - Verification is run in the users browser (ie. JavaScript)</li>
</ol>
<p>It seems that you are interested in a client-side solution using JavaScript. The Ning API as it is right now does have a safe means of doing client side authentication using pure JavaScript. Client-side authentication is more difficult because you need to worry about the keeping the OAuth consumer secret a secret.</p>
<p></p>
<p>The team has discussed implementing a client-side authentication scheme that non-Ning websites could embed that gives members a single-sign-on experience. As you can imagine, this is a difficult problem and will take some time to design and implement.</p>
<p></p>
<p>What I recommend you do is use server-side authentication. You will need to create an HTML form that requests the member's email address and password. Upon submission of the form your server will verify the credentials using the Ning API's /Token endpoint. If you receive a successful response from the /Token endpoint you can believe who the member is and setup a session (most likely using cookies). For the life of the session you can then trust that the user is who they say they are (assuming their cookies aren't stolen).</p>
<p></p>
<p>We are planning to implement 3-legged OAuth in the future to make server-side authentication more seamless for members. More seamless because members will not need to enter their password to authorize your web application if they are already signed into your Ning site.</p> Here's my suggestion for the…tag:build.ning.com,2011-12-07:6308082:Comment:148062011-12-07T06:21:14.825ZMark Vhttps://build.ning.com/profile/MarkV
<p>Here's my suggestion for the flow</p>
<p>user makes ajax request (jsonp) to example.ning.com/whoami?consumerKey=MYAPPSCONSUMERKEY</p>
<p>the network checks if the user is signed in, key is valid and creates a temporary token based on the consumer key, they know my consumer secret, user data and network specific parameters/algorithms<br></br>ning returns success status (user is logged in, consumerKey is valid on this network) and token to the user (the javascript)</p>
<p>the user(javascript)…</p>
<p>Here's my suggestion for the flow</p>
<p>user makes ajax request (jsonp) to example.ning.com/whoami?consumerKey=MYAPPSCONSUMERKEY</p>
<p>the network checks if the user is signed in, key is valid and creates a temporary token based on the consumer key, they know my consumer secret, user data and network specific parameters/algorithms<br/>ning returns success status (user is logged in, consumerKey is valid on this network) and token to the user (the javascript)</p>
<p>the user(javascript) sends his token to my server</p>
<p>my server sends the consumerKey, consumerSecret & token to the ning network.</p>
<p>the ning network responds with the success (user requested a token & it matches based on key & secret) and the user id/data</p>
<p>user token expires within a short time frame or maybe after 1 use.</p>