Hey everyone, i've been thinking of implementing the following custom
authentication scheme:
1. User generates a public and private key pair
2. when creating a new user, the user name is as usual but the password
is the public key (in clear hex)
3. For login:
1. the user asks the server to generate a challenge string
2. the user signs the challenge string and passes it to the server
3. the user is considered logged in if the returned signed challenge
can be verified by the server.
*How i propose to do that:* The user sends a GET request for the server
which returns a randomly generated challenge and saves it in relation to
the requesting user. The user then sends a login request, with the
difference that the password param is the signed challenge.
*Problems with what i propose:* How do i verify that who ever requests to
generate the challenge is the actual user ?
Will be happy for suggestions on how to go about doing this.
Alon.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/bccd4331-90d3-442c-a0e3-0a541f45843e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
