SQRL OAuth 2.0 Provider


Urs Rau

New member
Dec 28, 2019
1
0
Stupid question. Does this allow me to login using this OAUTH2 provider that supports SQRL to login to Microsoft O365 ?
Can I setup such a oauth2 re-direct? ( yes, I am a o365 global admin of my org on the ms tenant )
 

josecgomez

Member
Aug 6, 2018
24
11
Stupid question. Does this allow me to login using this OAUTH2 provider that supports SQRL to login to Microsoft O365 ?
Can I setup such a oauth2 re-direct? ( yes, I am a o365 global admin of my org on the ms tenant )
Yes anything that supports OAuth2 can use this to login using SQRL
Also @happyseagull the Site automatically generates “random” user info for you which you are free to keep and use.
So when that edit user info screen comes up you can leave it as is, save and move on.
SQRL can still be linked to your twit real account and the OAuth site gets nothing
 
  • Like
Reactions: MarkH

nimolabs

New member
Sep 11, 2020
3
0
Hi @josecgomez , first of all thank you for producing sqrloauth, it sounds as though it will solve the problem I'm having with using SQRL to log into various sites, however I can't find any documentation on it at all. Do you have a link to it by any chance?

It probably doesn'thelp that I've never used OAUTH before either, however I seem to be stuck with the most basic of issues such as how to create an account at sqrloauth.com, what to use as the Authorize URL in my application etc.

If it helps the particular app I'm trying to use SQRL with at the moment is Gitea which does have oauth 2 support.

Thanks,
Nick
 
Last edited by a moderator:

nimolabs

New member
Sep 11, 2020
3
0
Is this still being maintained at all? It's entirely possible that I'm doing something silly, but still getting an error.
 

Attachments

  • 20210131_134711.jpg
    20210131_134711.jpg
    448.6 KB · Views: 18

PHolder

Well-known member
May 19, 2018
204
43
It's probably not working, but it's hard to know precisely what you're doing from just that pic. My experience (last time I tried) is it works for pre-existing users, but new users were unable to sign up at all. I thought Jose was aware of this, and was going to look into it, but there hasn't been any update/progress in months, so far as I know.
 

nimolabs

New member
Sep 11, 2020
3
0
Ahh, I'm trying to sign up for the first time, so that must be the problem then.

Thank you for taking the time to reply.
Nick
 

anaman1

New member
Jun 18, 2021
1
0
OAuth is not the preferred solution, it is just the currently available solution. The OAuth protocol requires information because of who originated it (FaceBroke and Google and big companies like that) and they gather info about you when you use it. The provider of the SQRL OAuth is not about this, and will provide the service without requiring real information.

The real solution is for all sites to integrate a native SQRL solution, but that will take time. OAuth support like this is a stopgap until then.
How is Oauth different from Oauth2? (when using SQRL)

Has anyone in this community actually been able to set up Steve G’s SQRL with Matrix or their own home NAS?
Or as the auth service on a Synology NAS system to be the SSO server?
Cheers,
Charles
 

n333

New member
Aug 12, 2021
1
0
Update 1/3/2019:
Fixed a few bugs including the ability to Lock / Unlock the SQRL account.

-----------------
Hi All
Over the last couple of weeks, I've been working on a functioning OAuth
2 provider that works with SQRL (Exclusively)

This should in my opinion allow millions of sites (if they chose to) to
adopt SQRL without having to change much on the backend.

I am finally in a pre-alpha release stage and wanted to share it with
everyone here and get some input and thoughts on it.

Following the SQRL moto, I've made it so you can remain pretty anonymous
and still use the service and of course there are really no Secrets to
keep. When you first login I will create a "random" account for you using an account generating API, it is up to you if you want to update change those account details or if you want to remain "anonymous"

It currently implements the basic Authorization Code grant flow and
works fairly well.

I'm planning on releasing it in Beta sometime this week to let whomever
wants to try it play with it.

I run a discourse forum like Leo so I've made sure that it will work
with Discourse out of the box so the community at twit should be able to
start using it (if Leo chooses to) pretty easily.

Anyways here's a quick demo of it in my discourse instance.
(Again, this is still in alpha / pre-alpha so if you go poking around
things may blow up lol but feel free to)

It uses the Ask facility (if available) to act as the Permissions
Granting Screen of OAuth, I thought it was a pretty neat way of putting
the entire permissions structure in SQRL

We also have the ability if we want to, to make each site have a unique
identity though I have that disabled right now, but if you think it
would be worth it, I can certainly make it default. The reason for
disabling it is that managing the accounts could get cumbersome.

I have to give a BIG thanks to @TechLiam and @Jeffa who have been my
sounding board over in slack while I slugged through the protocols and
Faught with the specs.

Also, a zillion thanks to @Paul F who let me use some of his tools like
SQRLView and his command line SQRLClient for troubleshooting.

Seriously SQRLView is an amazing piece of software and it should be
shouted from the rooftops for anyone writing and or dealing with SQRL.

Liam's DotNetCore Middle-ware is also a great piece of open source
engineering and it keeps getting better.

Cheers guys and thanks again, I look forward to some feedback.

OAuthSqrlDemo.gif


Thanks to @Steve for providing this space for testing, enhancements , feature requests and issues. I will be making a write up on how to use it and set it up etc shortly.
is the site still maintained? login doesn't work
 

PHolder

Well-known member
May 19, 2018
204
43
@Steve @n333 @josecgomez Jose's SQRL OAuth site hasn't accepted new registrations in a long time. Jose kept saying he'd check into it, but he's busy, and I don't think he has ever made the time to fix it. It did continue working for registered users, but I stopped using it (because the only site I ever used it with required me to enable TOTP authentication), so I can't even comment if even that still works.
 

Steve

Administrator
Staff member
May 6, 2018
173
70
www.grc.com
@Steve @n333 @josecgomez Jose's SQRL OAuth site hasn't accepted new registrations in a long time. Jose kept saying he'd check into it, but he's busy, and I don't think he has ever made the time to fix it. It did continue working for registered users, but I stopped using it (because the only site I ever used it with required me to enable TOTP authentication), so I can't even comment if even that still works.
Thanks Paul!
 

brmassa

New member
May 18, 2022
2
1
Hi Steve. I tried to register/login at the main TWIT community site (https://www.twit.community) using SQRL. However, it delegates to this https://sqrloauth.com that simply do not create new accounts. I tried both Android and Firefox extension but none worked. It would be nice to ask Leo to use another provider, otherwise, no new members.

in time: on FF, the message that appears it rather non intuitive: only "onPasswdFormSubmit".
 

PHolder

Well-known member
May 19, 2018
204
43
SQRLOauth was created and is operated by a third party. There has been no adoption of SQRL by sites directly, so therefore it was a way to maybe support it on some sites, like the TWiT site. Unfortunately there appears to be a bug in the code (it did once work) that has been repeatedly pointed out to the author, and no resolution has occurred. You should assume SQRLOauth in abandoned. With no adoption by any major site operator, SQRL finds itself in an uncomfortable position of limbo.
 

PHolder

Well-known member
May 19, 2018
204
43
@josecgomez since you seem too busy to fix it (or too disinterested?) are you willing to open source it and/or transfer the domain to someone else who would have the time and willingness to advance it? I get how it's not really worth the time and energy to work on when no one is using it, but the other side of that coin is if the only user (TWiT) that is using it is failing, it's kind of killing any chance it would otherwise have.
 
  • Like
Reactions: kb9gxk and brmassa

brmassa

New member
May 18, 2022
2
1
@josecgomez since you seem too busy to fix it (or too disinterested?) are you willing to open source it and/or transfer the domain to someone else who would have the time and willingness to advance it? I get how it's not really worth the time and energy to work on when no one is using it, but the other side of that coin is if the only user (TWiT) that is using it is failing, it's kind of killing any chance it would otherwise have.
As a professional programmer, I can take it.
 
  • Like
Reactions: kb9gxk

R3V3R53_5H3LL

New member
Feb 3, 2022
2
1
@josecgomez I agree with @PHolder on this. It would really be a huge leap in the right direction since on-boarding this idea to work continuously for new users to utilize in cohesion with the current web sign-in concept. Also has anyone started to tackle to incorporate WebAuthn(FIDO concept) with SQRL(modified version of SQRL)? I heard the 875 Security Now episode and Steve said it could be possible since they both use the 25519 elliptic curve.
 
  • Like
Reactions: Spinn

PHolder

Well-known member
May 19, 2018
204
43
incorporate WebAuthn(FIDO concept) with SQRL(modified version of SQRL)?
I think Steve is a little over ambitious when he says there are developers working on anything SQRL related. Lot's of things could happen, but I don't think many are... there probably haven't been more than 50 posts here in the last year.
 

R3V3R53_5H3LL

New member
Feb 3, 2022
2
1
@PHolder thanks for the insight. I didn't really notice. I've been researching a lot in web security and was brainstorming some ideas to add-on top of SQRL's premise. One concept I thought about would be to use a TPM(USB ARMORY MKII) that has its own OS(you installed yourself that you trust along with a TRUSTED SQRL client app, as well as the type in password, Rescue Code, etc. stored separately in its own secured environment that;'s encrypted on the device and plug that into any untrusted computer to sign-in. What's your thoughts on this....? I'm very apprehensive when it comes to authentication.