This weekend @tilgovi and @_jhs implemented a plugin to verify assertions and manage user sessions on CouchDB.
The plugin code is here https://github.com/iriscouch/browserid_couchdb and every Couch hosted by http://iriscouch.com has the plugin enabled already.
I then took the plugin and implemented BrowserID login on my CouchDB port of Diaspora: http://monocl.es if you want to try out the login flow.
Cheers,
Max
Please do send us your feedback now that you've implemented BrowserID!
-Ben
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
Right now I'm most confused about some of the details regarding
primaries.
The current implementation has the login page send both the assertion
and the audience back to CouchDB.
If I base64 decode the assertion it seems to have a json object along
with (what I presume to be cryptographic) padding.
The "issuer" field of the JSON object says "browserid.org:443".
It's strange to me that this isn't a URI with https in front of it.
I'd much prefer if it said https://browserid.org/verify.
Has there been any talk of putting this in .well-known, or some other
way to say what service should verify?
I'd like to support other primaries.
Currently the CouchDB implementation assumes the browserid.org verify
endpoint.
I believe we assert that the audience the client sends us matches the
audience in the verification response.
I feel strange about trusting the user agent to send the audience.
Does it make sense to look at the Host header and assert it matches
the audience in the decoded assertion and the verify response? Or am I
getting too paranoid here?
Any thoughts would be greatly appreciated! It's really exciting to
have this in CouchDB, but I want to make CouchDB a primary now and
start logging in to Max's Couch with my Couch certifying my
identity :).
-Randall (@tilgovi)
>
> On 7/18/11 11:46 PM, Max Ogden wrote:
>
>
>
>
>
>
>
> > Hey all,
>
> > This weekend @tilgovi and @_jhs implemented a plugin to verify assertions and manage user sessions on CouchDB.
>
> > The plugin code is herehttps://github.com/iriscouch/browserid_couchdband every Couch hosted byhttp://iriscouch.comhas the plugin enabled already.
>
> > I then took the plugin and implemented BrowserID login on my CouchDB port of Diaspora:http://monocl.esif you want to try out the login flow.
>
> > Cheers,
>
> > Max
> > _______________________________________________
> > dev-identity mailing list
> > dev-ident...@lists.mozilla.org
> >https://lists.mozilla.org/listinfo/dev-identity