I'm building some infrastructure so I can get my community server stuff playing nicely with my search engine.
Over the weekend I started prototyping it in the
Topic Exchange. Currently there are just two XML-RPC calls:
identity.getToken(login, password)
This takes your login and password, and returns a token.
identity.validateToken(token)
This takes a token, and returns the login id that generated it.
The key concept here is that you can authenticate yourself to a remote server by giving it a token from the Topic Exchange. Tokens are only redeemable once, and expire if not used in 10 minutes. If you get a token that validates, you can be pretty sure that the person who gave it to you owns the userid you got back from the validateToken call.
The first application is proving to a search engine that you own an account on a community server. I'm going to hack this into the
Python Community Server, so people can connect to a search engine and validate themselves as members of a community (and thus show up in search results when people search for text published anywhere on the server).
It will become slightly more complicated: the plan is to make it so you can give getToken more info, some sort of cookie, which will be passed back in validateToken, so a server can give you some info about the type of token it wants and you can be sure that the token is only valid on that server (preventing the possibility of someone getting a token under false pretenses and passing off as you elsewhere).
This could trivially be used as the hub for a single sign-on (Passport / Liberty Alliance-like) system. Apparently the OpenIdentity folks have been working on something, which I'm really looking forward to seeing. I wonder if it has much in common?
IMHO the world really needs a single sign-on system that is as trivial for developers to use as
RSS and
XML-RPC. Let's make this happen ...
... more like this: [