undefined | Better HN

0 pointstscs379y ago0 comments

A possible solution would be a DNS TXT entry (some with custom mail domains will have some sort of access to their DNS), which Portier could look up and use to determine if the service supports some form of OAuth.

Alternatively, if DNS is not applicable, users could use filters and autoresponders to send back an automatic response with some code.

In theory that would basically mean "Portier sends Login Mail" -> "Login Mail gets bounced via filter with additional code" -> "Portier constructs OAuth Link" -> "Portier sends OAuth back"

0 comments

Vendan9y ago

An auto responder wouldn't have access to the user that made the request's cookies, and therefore would be unable to actually authenticate the user. You'd wind up with a system where anyone that knew your email would be able to log in as you, which is a rather bad idea.

tscs37OP9y ago

The autoresponder is more of a "This domain accept OAuth" and sends back the email body.

That way, the autoresponder doesn't need to know anything about the process nor does it authenticate the user.

It merely sends back a mail that portier can interprete as "Ok, I send an auth email there and this response means they want me to construct an oauth link to this domain"

it's stateless and only requires a rather simple autoresponder that can include email bodies.

Furthermore, portier can also verify the login link, so that replay attacks aren't feasible and the sender and link-owner must have matching emails.

fourbnine9y ago

Email filters and autoresponders are a bit convoluted to expect wide adoption. A TXT record might work though. Is a referral in a TXT record any worse from a security perspective than a referral in an MX record?

tscs37OP9y ago

Manipulating DNS is sadly very easy, but a TXT record of this type should be better than a MX record, as long as a oauth signin also contains a normal login link.

In this case, the worst-case is an attacker injecting a TXT record to force OAuth logins via that domain... which is a bit pointless as far as I can see, it either won't work or use the victim's own oauth service, for which they are responsible themselves IMO.

j / k navigate · click thread line to collapse

0 comments

Vendan9y ago

tscs37OP9y ago

The autoresponder is more of a "This domain accept OAuth" and sends back the email body.

That way, the autoresponder doesn't need to know anything about the process nor does it authenticate the user.

It merely sends back a mail that portier can interprete as "Ok, I send an auth email there and this response means they want me to construct an oauth link to this domain"

it's stateless and only requires a rather simple autoresponder that can include email bodies.

Furthermore, portier can also verify the login link, so that replay attacks aren't feasible and the sender and link-owner must have matching emails.

fourbnine9y ago

tscs37OP9y ago

Manipulating DNS is sadly very easy, but a TXT record of this type should be better than a MX record, as long as a oauth signin also contains a normal login link.

j / k navigate · click thread line to collapse