I'm confused, is the SSP server the SQRL server or the Web Server?

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

the7erm

Member
Jun 13, 2019
7
1
TLDR: If the SQRL client has to connect the SQRL server what port is that supposed to be? Is the SQRL Server supposed to be listening on 2 different ports at the same time, 1 for SQRL client connections and one for Web Server (private:55219) connections? What box in the image is the SSP server? Is it the Web Server or the SQRL server?

I'm reading: https://www.grc.com/sqrl/sspapi.htm and I'm very confused.

In particular it's the communication between the SQRL Server and SQRL Client.

437


This is stated:

API Parameter Notes
As noted above, the five web server to SSP server queries must be private and accessible only to the web server. This can be easily accomplished in any number of ways. The SSP private service might be bound to a network interface on a private, internal, non-public network. Or the SSP service could be bound to a non-standard firewalled port (55219 is the recommended default) with the assurance that this port is not publicly available. Alternatively or additionally this could be arranged by having the SSP API server check the IP address of the requesting machine ensure that it is the related web server, or that the query is coming from a machine on a non-routable (private) IP network.
What confuses me is the notes state that the SSP (SQRL server I'm guessing here) should only be accessible from a firewalled port from the web server eg: The Web server should only be able to connect to the SQRL server. Yet the image shows the SQRL client connecting to it.

I watched the network traffic in the browsers network tab, and it seems all the requests that are designated SSP in the spec are going to the Web Server which confuses me even more. It's like the Web server is the SSP but the page has a section Web Server to SSP Server which makes me think the SSP server is the SQRL Server.
 

Attachments

Steve

Administrator
Staff member
May 6, 2018
992
290
www.grc.com
@the7erm : It's probably confusing because it's not really part of the SSP API spec.

There are two "logical" service processes: A web server serving web pages and a SQRL server handling queries from SQRL clients.

So, for example, the web server might be on "grc.com" and the SQRL server might be on "sqrl.grc.com"
Or, the web server might be on "grc.com" and the SQRL server might be on "grc.com:81" (a non-80 port).
Since the web server provides the SQRL URL, the URL can be whatever domain and port the system chooses to use for the SQRL server.

The SQRL server =must= have a public-facing presence so that it can accept incoming queries from SQRL clients.
And it must also have a protected private interface of some kind so that it can accept SSP API queries from its affiliated web server.
 

Steve

Administrator
Staff member
May 6, 2018
992
290
www.grc.com
What confuses me is the notes state that the SSP (SQRL server I'm guessing here) should only be accessible from a firewalled port from the web server eg: The Web server should only be able to connect to the SQRL server. Yet the image shows the SQRL client connecting to it.
I hope what I wrote above was useful and clarifying. The SQRL Server (SSP) needs to have TWO services exposed. One public (and HTTPS/TLS with a cert) and a second that's private and can be HTTP without any cert, since it's the private SSP API "back channel" between the web server and the SSP API.
 

the7erm

Member
Jun 13, 2019
7
1
The SQRL server =must= have a public-facing presence so that it can accept incoming queries from SQRL clients.
And it must also have a protected private interface of some kind so that it can accept SSP API queries from its affiliated web server.
Thanks that cleared it up.
 

Jeffa

Well-known member
May 20, 2018
133
49
I hope what I wrote above was useful and clarifying. The SQRL Server (SSP) needs to have TWO services exposed. One public (and HTTPS/TLS with a cert) and a second that's private and can be HTTP without any cert, since it's the private SSP API "back channel" between the web server and the SSP API.
Does the back channel have to be on a private connection even if it is TLS?

Or could it be over the internet if it was protected with TLS?
 

the7erm

Member
Jun 13, 2019
7
1
Does the back channel have to be on a private connection even if it is TLS?
Depends what you mean by back channel.

If you mean SQRL Client <-> SQRL Server - Yes
If you mean Web Server <-> SQRL Server - No

At least that's how I understand it, but keep in mind I'm Mr. Newbie might build a python SQRL Server.
 

Steve

Administrator
Staff member
May 6, 2018
992
290
www.grc.com
Does the back channel have to be on a private connection even if it is TLS?

Or could it be over the internet if it was protected with TLS?
The way to think of the SSP API is as follows:

Let's think of, and call, the SSP API "the SQRL server." So we have a "SQRL sever" and a "web server".

To the public, the SQRL server provides SQRL URLs and QR codes to the user's web browser.
The SQRL server also replies to the periodic page-update probes generated by JavaScript on the user's sign-in page.

The SQRL URL that the SQRL server provides to the web browser refers SQRL clients back to itself.
So SQRL clients interact with the SQRL server with the SQRL protocol.

So, that's all the public side.

The SQRL server also offers a set of private services to the web server which must not be publicly exposed. This allows the web server to query the SQRL server with a CPS token I has received from its web browser to lookup the SQRL user and possibly the web site's account ID. And other queries allow the web server to add, remove, list, and perform other operations on the SQRL server's database.

So, yes... THOSE queries may or may not be TLS, but they must only be available to the web server.
 

JJasonClark

New member
Jul 1, 2019
4
0
Is the SSP like an OAuth identity provider? Something similar to what Auth0 does? Or Google auth? Or AWS Cognito? Etc...

It looks like it is possible to use these services with a custom auth provider to exchange the SQRL login token (CPS) for a JWT these can authorize on each request.
 

PHolder

Well-known member
May 19, 2018
918
124
I'm not up on the intricacies of OAuth but the basic premise is that the website has an identifier for a user and the SSP has the user IDK (public key) as an identifier, and the interaction between the two can exchange one for the other. It would be interesting to attempt to use a SQRL IDK as an input to OAuth somehow, which would allow a mapping from a SQRL user's identity to whatever a site already supporting OAuth would want.
 

shanedk

Well-known member
May 20, 2018
317
86
I believe I recall Rasmus saying he set up this forum's SQRL login using Xenforo's OAUTH hooks.
 

Steve

Administrator
Staff member
May 6, 2018
992
290
www.grc.com
@shanedk : I believe that it was actually one level of abstraction back from OAuth. XenForo has this notion of "Connected Accounts." I believe they do this so that it's possible, for example, to add the forums to an existing website and rely upon that website's existing logon/authentication/identity. So the various OAuth providers use this "connected accounts" system, as does Rasmus... so it's more alongside OAuth than on top of it. :)