Re: Sign in with apple?

2020-06-03 Thread Ray Kiddy via Webobjects-dev 


On 6/2/20 5:41 AM, Jesse Tayler wrote:



On Jun 1, 2020, at 9:40 PM, Ray Kiddy  wrote:


Somebody comes in to the app, I get their e-mail address and sent them an 
"invite" into the app. This is exactly as secure as any password-storage system 
that uses e-mail to reset passwords


This means the user has to invoke a new session by getting a link in email each 
time they access?
Yes, but i also implement different expiration periods for links. So, 
invites will expire after a day by default, but if the user requests 
they can be provided with a link that will last longer, or it can be 
made to not expire.

I suppose that link cannot be shared since it expires?
Yes, and the intention is that the link identifies the user, so one 
would not want it to be shared.

I mean it sounds interesting, I am interested in what is going on with your 
suggestion.

Just seems like sending around links that allow people to enter directly has 
various dangers and complexities itself, and I wonder what the resulting 
experience is and what the level of security is.
Isn’t this technically pushing the password back to your email login and isn’t 
that really no different than the O-Auth or Apple sign in?
It is "pushing the password back to your email login" and that is the 
point. Youe email login is one password. Almost all of the hundred or so 
passwords I use can be reset by e-mail. But I have to track those 
passwords, and no matter how clever they are about storing those 
passwords and no matter how convulated they require those passwords to 
be, the security of the system is _exactly the same_ as the security of 
my email login password, and for no extra benefit.The illusion of extra 
security that comes with some of these password schemes is probably what 
bothers me the most.

Apple sign in is preferable to users because it is easy and doesn’t offer 
private information to the site, Facebook login seems the same but is reversed. 
Facebook login is there to let Facebook see where you login and when so it can 
sell that data to advertisers.
A valid point. I have, however, come to point in my life where I no not 
accept that there are bad corporations and good corporations. The "good" 
corporations seem to always change their stripes when their profits are 
threatened. So the Apple system is a problem for me, even though it 
seems to be doing a good thing now. Do their Terms of Service say that 
they will do things this way forever? Can you take back your information 
if they change how they are doing things?

The idea of not using passwords at all is interesting, but I’m not sure this 
would be what I’m thinking about.

I’m going to guess this is not a bank, but what sort of service uses this email 
authentication and why was it implemented?

Well, to be honest, I can only use this for the apps I build that I 
fully control. I do work for others and they don't get it and that is 
fine. I deal. I worked for Paypal and I pretty sure they will not be 
implementing this anytime soon. More's the pity. :--) One does what one 
can do.



cheers - ray


___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-06-03 Thread Amedeo Mantica via Webobjects-dev 
I use this library

https://github.com/auth0/java-jwt 

the Apple public Keys for verification are here

https://appleid.apple.com/auth/keys 

Amedeo



> On 2 Jun 2020, at 14:41, Jesse Tayler via Webobjects-dev 
>  wrote:
> 
> 
> 
>> On Jun 1, 2020, at 9:40 PM, Ray Kiddy  wrote:
>> 
>> 
>> Somebody comes in to the app, I get their e-mail address and sent them an 
>> "invite" into the app. This is exactly as secure as any password-storage 
>> system that uses e-mail to reset passwords
> 
> 
> This means the user has to invoke a new session by getting a link in email 
> each time they access? 
> 
> I suppose that link cannot be shared since it expires?
> 
> I mean it sounds interesting, I am interested in what is going on with your 
> suggestion.
> 
> Just seems like sending around links that allow people to enter directly has 
> various dangers and complexities itself, and I wonder what the resulting 
> experience is and what the level of security is. 
> 
> Isn’t this technically pushing the password back to your email login and 
> isn’t that really no different than the O-Auth or Apple sign in? 
> 
> Apple sign in is preferable to users because it is easy and doesn’t offer 
> private information to the site, Facebook login seems the same but is 
> reversed. Facebook login is there to let Facebook see where you login and 
> when so it can sell that data to advertisers.
> 
> The idea of not using passwords at all is interesting, but I’m not sure this 
> would be what I’m thinking about.
> 
> I’m going to guess this is not a bank, but what sort of service uses this 
> email authentication and why was it implemented?
> 
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/amedeomantica%40me.com
> 
> This email sent to amedeomant...@me.com

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-06-02 Thread Jesse Tayler via Webobjects-dev 


> On Jun 1, 2020, at 9:40 PM, Ray Kiddy  wrote:
> 
> 
> Somebody comes in to the app, I get their e-mail address and sent them an 
> "invite" into the app. This is exactly as secure as any password-storage 
> system that uses e-mail to reset passwords


This means the user has to invoke a new session by getting a link in email each 
time they access? 

I suppose that link cannot be shared since it expires?

I mean it sounds interesting, I am interested in what is going on with your 
suggestion.

Just seems like sending around links that allow people to enter directly has 
various dangers and complexities itself, and I wonder what the resulting 
experience is and what the level of security is. 

Isn’t this technically pushing the password back to your email login and isn’t 
that really no different than the O-Auth or Apple sign in? 

Apple sign in is preferable to users because it is easy and doesn’t offer 
private information to the site, Facebook login seems the same but is reversed. 
Facebook login is there to let Facebook see where you login and when so it can 
sell that data to advertisers.

The idea of not using passwords at all is interesting, but I’m not sure this 
would be what I’m thinking about.

I’m going to guess this is not a bank, but what sort of service uses this email 
authentication and why was it implemented?

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-06-01 Thread Aaron Rosenzweig via Webobjects-dev 
You make a good point Ray - about using a password-less system - and you can do 
that with Auth0 and Okta too:

https://auth0.com/docs/connections/passwordless 
<https://auth0.com/docs/connections/passwordless>

https://www.okta.com/passwordless-authentication/ 
<https://www.okta.com/passwordless-authentication/>

But there are drawbacks with that too: 
https://www.helpnetsecurity.com/2019/07/18/true-passwordless-authentication/ 
<https://www.helpnetsecurity.com/2019/07/18/true-passwordless-authentication/>

Given that you may want to authenticate someone with a password they already 
know… the “win” is that letting them use Apple, Facebook, etc. is that they 
don’t have manage yet-another-password. 

While it seems like a “win” I listened to Chris at scotch.io 
<http://scotch.io/> talk about it being “fun” to add Apple, Facebook, etc. 
logins to his sites. He got like 300% more signups but then… very few of those 
actually paid for his services. He slated it as easy to signup just means 
people quickly look around but aren’t really serious. 
AARON ROSENZWEIG / Chat 'n Bike <http://www.chatnbike.com/>
e:  aa...@chatnbike.com <mailto:aa...@chatnbike.com>  t:  (301) 956-2319



> On Jun 1, 2020, at 9:40 PM, Ray Kiddy via Webobjects-dev 
>  wrote:
> 
> What problem are you trying to solve? Are you wanting to not store passwords? 
> Even if you use a third-party solution, you are still going to store 
> user-specific configuration information, yes? Or are you handing all of that 
> to Apple?
> 
> I have apps that are secure and I do not store passwords.
> 
> Somebody comes in to the app, I get their e-mail address and sent them an 
> "invite" into the app. This is exactly as secure as any password-storage 
> system that uses e-mail to reset passwords. Do I have to worry about the 
> security of my password tables? No. Do I have to worry about whether I have 
> picked the right encryption? No. Do I have to worry about whether I have 
> salted the passwords correctly? No. Do I have to make people store their 
> 327th password? No. Because I do not use passwords.
> 
> I can even use 2FA on top of that.
> 
> The real problem with using systems like AppleID or Facebook authentication 
> is that gives people an illusion of security while creating a single, 
> incedibly massive point of failure. So why do that?
> 
>  - ray
> 
> 
> On 5/31/20 5:35 AM, Jesse Tayler via Webobjects-dev wrote:
>> I thought to myself, say —  I should support "Sign in with Apple” —  and 
>> wondered if anyone has experiences they’d like to share about integrating 
>> with your WO Apps??
>> 
>> 
>>  ___
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/webobjects-dev/ray%40ganymede.org
>> 
>> This email sent to r...@ganymede.org
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com
> 
> This email sent to aa...@chatnbike.com

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-06-01 Thread Ray Kiddy via Webobjects-dev 
What problem are you trying to solve? Are you wanting to not store 
passwords? Even if you use a third-party solution, you are still going 
to store user-specific configuration information, yes? Or are you 
handing all of that to Apple?


I have apps that are secure and I do not store passwords.

Somebody comes in to the app, I get their e-mail address and sent them 
an "invite" into the app. This is exactly as secure as any 
password-storage system that uses e-mail to reset passwords. Do I have 
to worry about the security of my password tables? No. Do I have to 
worry about whether I have picked the right encryption? No. Do I have to 
worry about whether I have salted the passwords correctly? No. Do I have 
to make people store their 327th password? No. Because I do not use 
passwords.


I can even use 2FA on top of that.

The real problem with using systems like AppleID or Facebook 
authentication is that gives people an illusion of security while 
creating a single, incedibly massive point of failure. So why do that?


 - ray


On 5/31/20 5:35 AM, Jesse Tayler via Webobjects-dev wrote:

I thought to myself, say —  I should support "Sign in with Apple” —  and 
wondered if anyone has experiences they’d like to share about integrating with your 
WO Apps??


  ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/ray%40ganymede.org

This email sent to r...@ganymede.org

___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-05-31 Thread Jesse Tayler via Webobjects-dev 
That sounds sensible...

> On May 31, 2020, at 7:04 PM, Amedeo Mantica  wrote:
> 
> I did it using a Java library, not a wo project but this doesn’t matter. You 
> just need an awt token validation library. I’ll post it tomorrow. 
> Amedeo
> 
> Sent from my iPhone
> 
>> On 31 May 2020, at 17:31, Jesse Tayler via Webobjects-dev 
>>  wrote:
>> 
>> 
>> 
>> Indeed.
>> 
>> And I can see why without too much trouble right here... reminds me of APNS 
>> which I initially did by hand in JAVA but later so many services just worked 
>> so much better...
>> 
>> I’ll fish around and report if I learn anything interesting, but it does 
>> seem likely this would be the intelligent sort of route one would take.
>> 
>> 
>>> On May 31, 2020, at 11:20 AM, Aaron Rosenzweig >> <mailto:aa...@chatnbike.com>> wrote:
>>> 
>>> It’s a good question Jesse. Seems more people these days are paying a small 
>>> fee to people who have perfect solutions we can use immediately. Auth0 and 
>>> Okta come to mind but there are a plethora of choices.
>>> 
>>> https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/ 
>>> <https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/>
>>> 
>>> https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
>>>  
>>> <https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple>
>>> 
>>> 
>>> https://auth0.com/docs/quickstart/webapp/java/01-login 
>>> <https://auth0.com/docs/quickstart/webapp/java/01-login>
>>> 
>>> https://developer.okta.com/code/java/ 
>>> <https://developer.okta.com/code/java/>
>>> 
>>> AARON ROSENZWEIG / Chat 'n Bike <http://www.chatnbike.com/>
>>> e:  aa...@chatnbike.com <mailto:aa...@chatnbike.com>  t:  (301) 956-2319   
>>> 
>>> 
>>>> On May 31, 2020, at 8:35 AM, Jesse Tayler via Webobjects-dev 
>>>> mailto:webobjects-dev@lists.apple.com>> 
>>>> wrote:
>>>> 
>>>> 
>>>> I thought to myself, say —  I should support "Sign in with Apple” —  and 
>>>> wondered if anyone has experiences they’d like to share about integrating 
>>>> with your WO Apps??
>>>> 
>>>> 
>>>> ___
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com 
>>>> <mailto:Webobjects-dev@lists.apple.com>)
>>>> Help/Unsubscribe/Update your Subscription:
>>>> https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com
>>>>  
>>>> <https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com>
>>>> 
>>>> This email sent to aa...@chatnbike.com <mailto:aa...@chatnbike.com>
>>> 
>> 
>> ___
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/webobjects-dev/amedeomantica%40me.com
>> 
>> This email sent to amedeomant...@me.com

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-05-31 Thread Amedeo Mantica via Webobjects-dev 
I did it using a Java library, not a wo project but this doesn’t matter. You 
just need an awt token validation library. I’ll post it tomorrow. 
Amedeo

Sent from my iPhone

> On 31 May 2020, at 17:31, Jesse Tayler via Webobjects-dev 
>  wrote:
> 
> 
> 
> Indeed.
> 
> And I can see why without too much trouble right here... reminds me of APNS 
> which I initially did by hand in JAVA but later so many services just worked 
> so much better...
> 
> I’ll fish around and report if I learn anything interesting, but it does seem 
> likely this would be the intelligent sort of route one would take.
> 
> 
>> On May 31, 2020, at 11:20 AM, Aaron Rosenzweig  wrote:
>> 
>> It’s a good question Jesse. Seems more people these days are paying a small 
>> fee to people who have perfect solutions we can use immediately. Auth0 and 
>> Okta come to mind but there are a plethora of choices.
>> 
>> https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/
>> 
>> https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
>> 
>> 
>> https://auth0.com/docs/quickstart/webapp/java/01-login
>> 
>> https://developer.okta.com/code/java/
>> 
>> AARON ROSENZWEIG / Chat 'n Bike
>> e:  aa...@chatnbike.com  t:  (301) 956-2319   
>>      
>> 
>>> On May 31, 2020, at 8:35 AM, Jesse Tayler via Webobjects-dev 
>>>  wrote:
>>> 
>>> 
>>> I thought to myself, say —  I should support "Sign in with Apple” —  and 
>>> wondered if anyone has experiences they’d like to share about integrating 
>>> with your WO Apps??
>>> 
>>> 
>>> ___
>>> Do not post admin requests to the list. They will be ignored.
>>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
>>> Help/Unsubscribe/Update your Subscription:
>>> https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com
>>> 
>>> This email sent to aa...@chatnbike.com
>> 
> 
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/amedeomantica%40me.com
> 
> This email sent to amedeomant...@me.com
 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-05-31 Thread Jesse Tayler via Webobjects-dev 

Indeed.

And I can see why without too much trouble right here... reminds me of APNS 
which I initially did by hand in JAVA but later so many services just worked so 
much better...

I’ll fish around and report if I learn anything interesting, but it does seem 
likely this would be the intelligent sort of route one would take.


> On May 31, 2020, at 11:20 AM, Aaron Rosenzweig  wrote:
> 
> It’s a good question Jesse. Seems more people these days are paying a small 
> fee to people who have perfect solutions we can use immediately. Auth0 and 
> Okta come to mind but there are a plethora of choices.
> 
> https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/ 
> <https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/>
> 
> https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
>  
> <https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple>
> 
> 
> https://auth0.com/docs/quickstart/webapp/java/01-login 
> <https://auth0.com/docs/quickstart/webapp/java/01-login>
> 
> https://developer.okta.com/code/java/ <https://developer.okta.com/code/java/>
> 
> AARON ROSENZWEIG / Chat 'n Bike <http://www.chatnbike.com/>
> e:  aa...@chatnbike.com <mailto:aa...@chatnbike.com>  t:  (301) 956-2319   
>   
> 
>> On May 31, 2020, at 8:35 AM, Jesse Tayler via Webobjects-dev 
>> mailto:webobjects-dev@lists.apple.com>> 
>> wrote:
>> 
>> 
>> I thought to myself, say —  I should support "Sign in with Apple” —  and 
>> wondered if anyone has experiences they’d like to share about integrating 
>> with your WO Apps??
>> 
>> 
>> ___
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com 
>> <mailto:Webobjects-dev@lists.apple.com>)
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com 
>> <https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com>
>> 
>> This email sent to aa...@chatnbike.com
> 

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Sign in with apple?

2020-05-31 Thread Aaron Rosenzweig via Webobjects-dev 
It’s a good question Jesse. Seems more people these days are paying a small fee 
to people who have perfect solutions we can use immediately. Auth0 and Okta 
come to mind but there are a plethora of choices.

https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/ 
<https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/>

https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple 
<https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple>


https://auth0.com/docs/quickstart/webapp/java/01-login 
<https://auth0.com/docs/quickstart/webapp/java/01-login>

https://developer.okta.com/code/java/ <https://developer.okta.com/code/java/>

AARON ROSENZWEIG / Chat 'n Bike <http://www.chatnbike.com/>
e:  aa...@chatnbike.com <mailto:aa...@chatnbike.com>  t:  (301) 956-2319



> On May 31, 2020, at 8:35 AM, Jesse Tayler via Webobjects-dev 
>  wrote:
> 
> 
> I thought to myself, say —  I should support "Sign in with Apple” —  and 
> wondered if anyone has experiences they’d like to share about integrating 
> with your WO Apps??
> 
> 
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com
> 
> This email sent to aa...@chatnbike.com

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Sign in with apple?

2020-05-31 Thread Jesse Tayler via Webobjects-dev 

I thought to myself, say —  I should support "Sign in with Apple” —  and 
wondered if anyone has experiences they’d like to share about integrating with 
your WO Apps??


 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com