By casey on

I was wondering: isn't the authentication service pretty dangerous? It's asking for login-information from another site.

It's easy to rewrite drupal.module so it will store login-information. When people log in with their drupal.org account on a website which does this, the login-information is known by the website's owner. When for example Dries logs in on such a website you've got a problem.

Categories: Drupal 5.x

Comments

casey’s picture

casey commented

I thought about it some minutes, and I think I have a kind of solution:

provide an extra password with which people can login on other sites but not on the site itself.

for example:

drupal.org
user: A
password: *****
authentication_service_password: *****

user A can login on drupal.org with password, but not with authentication_service_password. And user A can login on other sites (with authentication_service enabled) with authentication_service_password but not with password.

Only issue left is that authentication_service_password can be exposed, but that should't give very much trouble.

It also is an idea to give users some kind of proof, that the other website which the users logs in on, really tried to validate the authentication_service_password with the drupal.org server (a secret sentence or something liek that). All login's on other sites can than be logged with some "strong" certainty.

jvandyk’s picture

jvandyk commented

...only log into sites you trust.