128bit.io
2^7 bits of goodness!


Mozilla's BrowserID

By on

If you look around the news you will always hear about some big name that has been hacked and had their password database compromised. In recent news, this has happened to many people like these guys and them, but if you keep looking you’ll find tons more. The topic of security and how you are storing passwords always comes up, but this is not the point of this posting. I wanted to take this time to point out a Mozilla based project which helps in this area. BrowserID is “A better way to sign in” that take use of Mozilla’s service for storing the user’s passwords and lets your application validate the user and log them in.

There are other services like this out there that achieve the same thing, but I feel that BrowserID is easy to setup and the overall flow seems very nice to me. In the end as a Developer I don’t want to be dealing with boring user registration code and passwords validation when I can be writing my application and having fun working on new features. Also, not having that feeling at night right before falling asleep thinking about if your users passwords are safe or not is always nice too! ;)

I coded up a small example about how to use BrowserID with Sinatra. All code can be found on GitHub.

This is the haml index file,

This is the Javascript code which pushed the assertion code to the application’s backend,

This is Sinatra application code.

The overall idea is being able to check the assertion code you get back from the BrowserID server using the Javascript from your front end. This is done by just making a POST request to the BrowserID server with the assertion code. You should get JSON data back telling you if the user is validated or not. Based on this, you can do whatever you need on the backend to log the user in. There are some more options for Persistent Login that lets the user stay logged in to your site based on their signed certificate expiration time. This just gives you more options for managing the user’s login.

If you are wondering if any site are using BrowserID, you will find that Mozilla has switched over to using it (Eating your own dog food) along with OpenPhoto. Also the Drupal community was able to make a module for using BrowserID.

I have an open pull request for the BrowserID Cookbook Repo on Github, so I’m hoping the code will be added soon.

Here are some resources links,

Any feed back is welcome, feel free to comment or fork the code on Github!