SQRL OAuth 2.0 Provider
- Thread starter josecgomez
- Start date
- Watchers 17
Yes anything that supports OAuth2 can use this to login using SQRL
Also @happyseagull the Site automatically generates “random” user info for you which you are free to keep and use.
So when that edit user info screen comes up you can leave it as is, save and move on.
SQRL can still be linked to your twit real account and the OAuth site gets nothing
Update 1/3/2019:
Fixed a few bugs including the ability to Lock / Unlock the SQRL account.
Fixed a few bugs including the ability to Lock / Unlock the SQRL account.
Hi @josecgomez , first of all thank you for producing sqrloauth, it sounds as though it will solve the problem I'm having with using SQRL to log into various sites, however I can't find any documentation on it at all. Do you have a link to it by any chance?
It probably doesn'thelp that I've never used OAUTH before either, however I seem to be stuck with the most basic of issues such as how to create an account at sqrloauth.com, what to use as the Authorize URL in my application etc.
If it helps the particular app I'm trying to use SQRL with at the moment is Gitea which does have oauth 2 support.
Thanks,
Nick
It probably doesn'thelp that I've never used OAUTH before either, however I seem to be stuck with the most basic of issues such as how to create an account at sqrloauth.com, what to use as the Authorize URL in my application etc.
If it helps the particular app I'm trying to use SQRL with at the moment is Gitea which does have oauth 2 support.
Thanks,
Nick
Last edited by a moderator:
It's probably not working, but it's hard to know precisely what you're doing from just that pic. My experience (last time I tried) is it works for pre-existing users, but new users were unable to sign up at all. I thought Jose was aware of this, and was going to look into it, but there hasn't been any update/progress in months, so far as I know.
How is Oauth different from Oauth2? (when using SQRL)
OAuth - Wikipedia
Has anyone in this community actually been able to set up Steve G’s SQRL with Matrix or their own home NAS?
Or as the auth service on a Synology NAS system to be the SSO server?
Cheers,
Charles
is the site still maintained? login doesn't workUpdate 1/3/2019:
Fixed a few bugs including the ability to Lock / Unlock the SQRL account.
-----------------
Hi All
Over the last couple of weeks, I've been working on a functioning OAuth
2 provider that works with SQRL (Exclusively)
This should in my opinion allow millions of sites (if they chose to) to
adopt SQRL without having to change much on the backend.
I am finally in a pre-alpha release stage and wanted to share it with
everyone here and get some input and thoughts on it.
Following the SQRL moto, I've made it so you can remain pretty anonymous
and still use the service and of course there are really no Secrets to
keep. When you first login I will create a "random" account for you using an account generating API, it is up to you if you want to update change those account details or if you want to remain "anonymous"
It currently implements the basic Authorization Code grant flow and
works fairly well.
I'm planning on releasing it in Beta sometime this week to let whomever
wants to try it play with it.
I run a discourse forum like Leo so I've made sure that it will work
with Discourse out of the box so the community at twit should be able to
start using it (if Leo chooses to) pretty easily.
Anyways here's a quick demo of it in my discourse instance.
(Again, this is still in alpha / pre-alpha so if you go poking around
things may blow up lol but feel free to)
It uses the Ask facility (if available) to act as the Permissions
Granting Screen of OAuth, I thought it was a pretty neat way of putting
the entire permissions structure in SQRL
We also have the ability if we want to, to make each site have a unique
identity though I have that disabled right now, but if you think it
would be worth it, I can certainly make it default. The reason for
disabling it is that managing the accounts could get cumbersome.
I have to give a BIG thanks to @TechLiam and @Jeffa who have been my
sounding board over in slack while I slugged through the protocols and
Faught with the specs.
Also, a zillion thanks to @Paul F who let me use some of his tools like
SQRLView and his command line SQRLClient for troubleshooting.
Seriously SQRLView is an amazing piece of software and it should be
shouted from the rooftops for anyone writing and or dealing with SQRL.
Liam's DotNetCore Middle-ware is also a great piece of open source
engineering and it keeps getting better.
Cheers guys and thanks again, I look forward to some feedback.
Thanks to @Steve for providing this space for testing, enhancements , feature requests and issues. I will be making a write up on how to use it and set it up etc shortly.
Hi "n333" — I just tried logging out and back in with SQRL — worked perfectly for me!
@Steve @n333 @josecgomez Jose's SQRL OAuth site hasn't accepted new registrations in a long time. Jose kept saying he'd check into it, but he's busy, and I don't think he has ever made the time to fix it. It did continue working for registered users, but I stopped using it (because the only site I ever used it with required me to enable TOTP authentication), so I can't even comment if even that still works.
Hi Steve. I tried to register/login at the main TWIT community site (https://www.twit.community) using SQRL. However, it delegates to this https://sqrloauth.com that simply do not create new accounts. I tried both Android and Firefox extension but none worked. It would be nice to ask Leo to use another provider, otherwise, no new members.
in time: on FF, the message that appears it rather non intuitive: only "onPasswdFormSubmit".
in time: on FF, the message that appears it rather non intuitive: only "onPasswdFormSubmit".
SQRLOauth was created and is operated by a third party. There has been no adoption of SQRL by sites directly, so therefore it was a way to maybe support it on some sites, like the TWiT site. Unfortunately there appears to be a bug in the code (it did once work) that has been repeatedly pointed out to the author, and no resolution has occurred. You should assume SQRLOauth in abandoned. With no adoption by any major site operator, SQRL finds itself in an uncomfortable position of limbo.
@josecgomez since you seem too busy to fix it (or too disinterested?) are you willing to open source it and/or transfer the domain to someone else who would have the time and willingness to advance it? I get how it's not really worth the time and energy to work on when no one is using it, but the other side of that coin is if the only user (TWiT) that is using it is failing, it's kind of killing any chance it would otherwise have.
@josecgomez I agree with @PHolder on this. It would really be a huge leap in the right direction since on-boarding this idea to work continuously for new users to utilize in cohesion with the current web sign-in concept. Also has anyone started to tackle to incorporate WebAuthn(FIDO concept) with SQRL(modified version of SQRL)? I heard the 875 Security Now episode and Steve said it could be possible since they both use the 25519 elliptic curve.
I think Steve is a little over ambitious when he says there are developers working on anything SQRL related. Lot's of things could happen, but I don't think many are... there probably haven't been more than 50 posts here in the last year.
@PHolder thanks for the insight. I didn't really notice. I've been researching a lot in web security and was brainstorming some ideas to add-on top of SQRL's premise. One concept I thought about would be to use a TPM(USB ARMORY MKII) that has its own OS(you installed yourself that you trust along with a TRUSTED SQRL client app, as well as the type in password, Rescue Code, etc. stored separately in its own secured environment that;'s encrypted on the device and plug that into any untrusted computer to sign-in. What's your thoughts on this....? I'm very apprehensive when it comes to authentication.