Access link parameters

If you were to log in in such a way that would mean that Jive would be

responsible for forwarding your credentials to Adobe. That is a huge

security risk, Jive should never have access to your account credentials.

Thanks, Jochem. Makes sense, I suppose, but I can't really see what 'huge

security risk' is involved. Perhaps you could explain. I don't really

understand all these 'security' implications, but I do understand that posting

an email address en clair invites spam.

It was possible to be permanently logged in on the old forums, which were not hosted by Adobe - do you mean the risk is because of the link between an Adobe ID, linked to software purchases etc., and the forums? I've never been convinced that was a good idea anyway.

What about if my access link were something like

https://www.adobe.com/cfusion/entitlement/index.cfm?e=ca&returnurl=http://forums.adobe.com/login.jspa&loc=en&un="Ildhund"&pw="password"

Wouldn't that satisfy the security requirements and return me, logged in, to the forums?

Noel

Ildhund wrote on 2009-04-13 20:03 :

What about if my access link were something like

https://www.adobe.com/cfusion/entitlement/index.cfm?e=ca&returnurl=http://forums.adobe.com/login.jspa&loc=en&un="Ildhund"&pw="password"

And who is going to email that link to you? Jive?

The standard way Single Sign On (SSO) works is that you try to access

these forums unauthenticated for instance at the URL:

http://forums.adobe.com/message/1889024#1889024

Then forums see that you are not logged in and forwards you to the Adobe

SSO server. The URL the forums use for that looks something like:

http://adobe.com/?returnURL=http://forums.adobe.com/message/1889024#1889024

You then log in to the Adobe SSO server if you are not already logged

in. The Adobe SSO server redirects you back to the returnURL with a

token appended to the URL:

http://forums.adobe.com/message/1889024#1889024?token=xxxxxxxxx

If you are already logged in the Adobe SSO server will immediately

redirect you there.

When the forum sees the new request it will check if you are logged in.

You aren't, but there is a token appended to your URL. The forums take

that token and call a private authentication service on the Adobe SSO

server to verify the token. The Adobe SSO server checks that the token

from the forums server is the same as the token it just send to you. If

it is, it gives you an OK.

So what have we accomplished now:

1. The Adobe SSO server has confirmed to these forums that you are

really "Ildhund".

2. The forums, which are under the control of an external company, have

at no point had access to your Adobe ID and can not access your license

keys in the Adobe store.

This is the simplified version of the theoretical blueprint of how SSO

it is supposed to work. For a step by step explanation of the best known

SSO mechnism see http://web.mit.edu/Kerberos/dialogue.html

Now these forums work completely differently and I share your pain (I

get logged out all the time as well). But I don't think we should

compromise the security of these forums to the extend you are suggesting

to improve the automatic logon experience. We should instead ask Adobe

to better align their implementation with this reference model and fix

the issues with disappearing cookies and sessions getting out of sync

between serves.

Jochem

--

Jochem van Dieten

http://jochem.vandieten.net/

Thanks a lot for the lecture, Jochem. I can see that it's a bit more

complicated than it appears. Nonetheless, I clicked the link as it appeared in

your post and got delivered to my personalized forums home page.

I still don't see what 'security' is involved with access to public web

forums.

The Kerberos story was entertaining. Like George Gamov explaining quantum

physics.

Noel