Using Distributed Authentication

Drupal distributed authentication is a way to save site users the extra steps of creating redundant accounts on multiple sites. With distributed authentication, users can register on one site, and then use an extended version of their login information to log in to any site that supports Drupal distributed authentication. This is not only convenient for users, but it's also useful in situations where sites want to maintain a shared user base but not a shared database.

When logging in to a Drupal site using distributed authentication, your username takes on an extended form that includes the site that is expected to do the actual authenticating. The extended username takes the form [email protected]www.domain .com. For example, if Bob is a registered user at www.bobs-site.org with the username bob, his extended username is [email protected], and his password remains unchanged. When Bob uses this extended username to log in to another Drupal-powered site, that site will send a request to Bob's original site, www.bobs-site.com, and ask it if a user bob with the password that he entered should be authenticated.

You should be aware that the current implementation of distributed authentication raises some security concerns. Someone could alter the code of her site to save a record of the passwords of users who log in. This is true of any web site you visit, not just Drupal. As long as the username and password only buys access to just that site, there is little incentive to do this. If, however, it would allow the malicious person to log in to other sites as well—in this case, any Drupal site that has the Drupal module enabled—the incentive is greater, and so is the potential loss or damage. The attacker would be able to masquerade on those sites using your user identity and execute actions on your behalf.

0 0

Post a comment