Authorization and user data

    I think a lot have already managed to get acquainted with the wonderful OpenID technology, which is gaining momentum lately. After all, it’s really a good idea why register on a hundred sites by driving the same data if you can register on one site and then log in through it on others.


    Everything would be fine, but the trouble is, they did the end-to-end authorization technology, and the data transmitted about users did not standardize and it turned out to be a soup, and the authorization form began to look not very attractive with a huge list (I exaggerate, of course) of OpenID servers, but for everyone Of these, something else needs to be finished, well, in general, this minus, I think everyone has already noticed.

    What is still unpleasant, so to speak, is the huge number of these same OpenID servers, which are presented in different sets on sites. Well, by the way, many services are also trying to fasten their special features to OpenID, for example, ya.ru wants to add a confidence index by the activity of its users ( source ).

    Everyone around says about the need for centralization ... hmm, yes, in general I thought correctly, but the key point is centralization of what and where? You can collect all of all users on one server - that’s a good catch for hackers. Or you can simply collect all the user data in one place and move it to a valid computer, or a personal host, better of course a computer.

    And how I see the future of such a program:
    You put it on a computer, fill it with whatever data you want about yourself (from the most commonplace name, DR, NICK and so on, to education, work, preferences, etc., etc.), the program stores all this in encrypted form under a master password. Then you go to an interesting site to look for work, say hh.ru and want to register on it. In general, registration on it as such should already be absent, you just press the input and log in. In the program “local passport”, let's call it like that, it is marked with you which fields to give automatically, and for which to ask permission. Suppose, for authorization, the program asked for a nickname, name, etc. and email, the program gave them away, your record was created on the server, you received an email confirming the address, you activated and joyfully logged into your account. You are invited to fill out a resume, there is nothing easier! We click to create a resume and we see a question from the program: “The site has asked you for information about education, work, etc.”, you answer “confirm the transfer of data”. Voila, the resume is filled out. Well, for a big buzz, we go to livehh.ru, this is their community and fill out photos, interests, etc. without dropping any data. Great, the internet profile is full. A month has passed, you were hired, go back to the site, the data in your local passport has already been updated, say earlier. The site asks you to update the data from you, you can allow it in several modes: allow / not allow and for each of the options to choose only now / always. this is their community and fill out photos, interests, etc. without dropping any data. Great, the internet profile is full. A month has passed, you were hired, go back to the site, the data in your local passport has already been updated, say earlier. The site asks you to update the data from you, you can allow it in several modes: allow / not allow and for each of the options to choose only now / always. this is their community and fill out photos, interests, etc. without dropping any data. Great, the internet profile is full. A month has passed, you were hired, go back to the site, the data in your local passport has already been updated, say earlier. The site asks you to update the data from you, you can allow it in several modes: allow / not allow and for each of the options to choose only now / always.

    Authorization essentially remains the same OpenID, according to the OAuth protocol, but we have a standardized structure of user information that sites know about and can request, offline storage of data that can be edited much more conveniently directly on the computer and synchronized with other devices, and regardless of whose some very reliable services. At the same time, it remains possible to check the person with CAPTCHA to distinguish him from the bot, and so on. That is, in fact, little changes and the integration of such a solution can go almost unnoticed and without much effort.

    I already plan and design this program, it will be open source, posted on sourceforge so if there are anyone who wants to join the development, you are welcome in PM.

    Of course, there are a lot of problems, but first of all, you should clearly understand the main task - developing a local data warehouse, while there is no talk about fighting spammers, data validation, trust loans, and so on, which you already managed to unsubscribe, but of course, think about these problems can and will be needed.

    Sooner or later, the Internet will come to a similar method of authorization, so you can hope for a pleasant surfing in the future and for your small contribution to the technology of the coming and not very years. And it’s just interesting to do something useful.

    I will be glad to comments, questions and discussion of the proposed model, I
    especially welcome constructive criticism.

    PS Before offering an “analogue”, carefully read the offer or indicate what is not clear in it, please. I would like to discuss precisely the proposal, and not all existing "analogues" :)

    Also popular now: