• Re: RFC - BBS WEB AUTH

    From crax@21:1/188 to 3SHINOBI on Wed May 23 16:34:12 2018
    Quoting Shinobi to Nuskooler <=-

    I'm having a hard time understanding what this is attempting to solve?
    Is the goal to authenticate against a BBS user (user/pass) from a
    website?

    Sorry about not being clear. The goal is to authenticate user against
    web server. That means. When You logon to BBS. And then select from
    menu Doors. Then You should be dropped into text browser. And this
    browser has to authenticate against web server. And there shouldn't be
    the need to logon once more to the web server.

    What's running on the web server that requires the identity of the BBS user?

    The html file contains form with BBS_KEY, BBS_SECRET and
    username. - When the user is dropped into dumbed elinks the html file

    This just exposed the key and secret.

    Yep.

    This is to be done on the BBS side. The user won't have access to the form. That means. From user's point of view. You logon to BBS. Select application. That application runs custom elinks. And forward You to
    web pages with the username and shared secret.

    Shared secrets aren't meant to be transmitted.

    If the server just needs to identify the BBS as known in order to trust the user name, a unique key for each BBS it talks to is sufficient (assuming the server verifies the BBS key is valid). That's a basic form of authentication. There are a few problems

    crax
    ___ Blue Wave/386 v2.30

    --- Mystic BBS/QWK v1.12 A39 2018/04/21 (Raspberry Pi/32)
    * Origin: ACiD Underworld // blackflag.acid.org:31337 (21:1/188)