Ask HN: What would be requirements for the ideal SSO implementation?

1 point

9 years ago

There are currently Facebook SSO, Google+ SSO, and others. You can choose to "Sign in with Facebook" for example. Skipping essentially the email verification step during registration on a website.

But this then links your social media profile with whatever website you are using, which may not be ideal. Often they superfluously gain access to your contacts, likes, or other personal information.

Yet SSO is still popular so how ca we build a better one, what would a "good" SSO solution look like?

Likely all you want is a centralized place where password resets can be performed. Account management such as username, would be handled by the application you are accessing.

In order to prevent applications from harvesting your email address and password the login form would be loaded on a separate page. With your application's service key as a query parameter. Where a redirect back to the application is performed upon successful login.

The host application would need to query an API upon loading of that url to ensure you are logged in, and if so thus perhaps setting a cookie for the user? So session management would also be performed at that point by the application.

I suppose the email address of the user would optionally be offered to the application upon successful login so that things such as email notifications would be possible. Trying to get a grasp of how simple SSO could be and the minimum possible set of implementation details. No flash or dazzle, a single centralized account and authentication.

I've performed some searching online about this topic but it's bogged down with countless articles about how to implement one of the existing solutions.

This is intended to be a thought exercise and not directly a call for yet another SSO implementation (although maybe it could be).