Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CouchDB BrowserID Plugin

117 views
Skip to first unread message

Max Ogden

unread,
Jul 19, 2011, 2:46:58 AM7/19/11
to
Hey all,

This weekend @tilgovi and @_jhs implemented a plugin to verify assertions and manage user sessions on CouchDB.

The plugin code is here https://github.com/iriscouch/browserid_couchdb and every Couch hosted by http://iriscouch.com has the plugin enabled already.

I then took the plugin and implemented BrowserID login on my CouchDB port of Diaspora: http://monocl.es if you want to try out the login flow.

Cheers,

Max

Ben Adida

unread,
Jul 19, 2011, 9:43:30 AM7/19/11
to dev-id...@lists.mozilla.org

Very nice! Thanks for sending along.

Please do send us your feedback now that you've implemented BrowserID!

-Ben

> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

Randall Leeds

unread,
Jul 19, 2011, 3:06:26 PM7/19/11
to
On Jul 19, 6:43 am, Ben Adida <b...@adida.net> wrote:
> Very nice! Thanks for sending along.
>
> Please do send us your feedback now that you've implemented BrowserID!
>
> -Ben

Right now I'm most confused about some of the details regarding
primaries.

The current implementation has the login page send both the assertion
and the audience back to CouchDB.
If I base64 decode the assertion it seems to have a json object along
with (what I presume to be cryptographic) padding.

The "issuer" field of the JSON object says "browserid.org:443".
It's strange to me that this isn't a URI with https in front of it.
I'd much prefer if it said https://browserid.org/verify.
Has there been any talk of putting this in .well-known, or some other
way to say what service should verify?
I'd like to support other primaries.

Currently the CouchDB implementation assumes the browserid.org verify
endpoint.
I believe we assert that the audience the client sends us matches the
audience in the verification response.
I feel strange about trusting the user agent to send the audience.
Does it make sense to look at the Host header and assert it matches
the audience in the decoded assertion and the verify response? Or am I
getting too paranoid here?

Any thoughts would be greatly appreciated! It's really exciting to
have this in CouchDB, but I want to make CouchDB a primary now and
start logging in to Max's Couch with my Couch certifying my
identity :).

-Randall (@tilgovi)

>
> On 7/18/11 11:46 PM, Max Ogden wrote:
>
>
>
>
>
>
>
> > Hey all,
>
> > This weekend @tilgovi and @_jhs implemented a plugin to verify assertions and manage user sessions on CouchDB.
>

> > The plugin code is herehttps://github.com/iriscouch/browserid_couchdband every Couch hosted byhttp://iriscouch.comhas the plugin enabled already.
>
> > I then took the plugin and implemented BrowserID login on my CouchDB port of Diaspora:http://monocl.esif you want to try out the login flow.


>
> > Cheers,
>
> > Max
> > _______________________________________________
> > dev-identity mailing list

> > dev-ident...@lists.mozilla.org
> >https://lists.mozilla.org/listinfo/dev-identity

greg...@gmail.com

unread,
Jun 4, 2012, 3:01:33 PM6/4/12
to
Hi,

Is the browserid code here secure and ready for production use?

also

I can't get the example to work.

When I execute this it just hangs.
./push.js http://mycouch.iriscouch.com:6984/browserid

Am i missing something?

Dan Callahan

unread,
Jun 4, 2012, 3:56:34 PM6/4/12
to
Hi Gregory M.,

On 6/4/12 2:01 PM, greg...@gmail.com wrote:
> Is the browserid code here secure and ready for production use?

BrowserID itself (soon to be renamed "Persona") is secure and ready for
production use. The fallback Identity Provider we operate at
browserid.org is hosted in geographically redundant data centers, etc.

We didn't write the CouchDB plugin, so you'll want to contact the Iris
Couch folks directly. From a quick glance, it looks like it's using the
old, deprecated navigator.id.getVerifiedEmail() call, and is
self-hosting our include.js shim.

It should work for now, but we recommend against doing both of those things.

> When I execute this it just hangs.
> ./push.js http://mycouch.iriscouch.com:6984/browserid
>
> Am i missing something?

I'm not sure; that sounds like a problem on the Iris Couch side. You're
probably better of asking them directly. :)

Either way, we're about to release an updated version of our API, and
I'll make sure I contact Iris Couch and other library authors to ask
them to support it. The move to the newer API should give us a better
idea as to which libraries are being actively maintained.

Otherwise, let me know if you have any other questions or if I can help
you get set up!

-Callahad
0 new messages