Integrating SQRL with XenForo
To aid him in his quest of writing an add-on to make XenForo support SQRL, he posted a thread on the XenForo forums asking for advice. To which I replied with ideas and some sample code that I spent an evening on. Soon after we...
I am an avid listener of the podcast Security Now!. A few years ago, one of the hosts of the podcast, Steve Gibson started talking about a new scheme of authentication he was devising. It would eliminate both passwords and the responsibility of storing a secret (e.g. a password) from the server. He has since clarified all details about the protocol and all functionality.
At some point on the roadmap of releasing SQRL to the world, Steve set up a XenForo forum for the 'SQRL Community' and all that was left to do was to actually make XenForo compatible with SQRL because, the official forums of SQRL have got to support SQRL.
To aid him in his quest on writing an add-on to make XenForo support SQRL, he posted a thread on the XenForo forums asking for advice. To which I replied with ideas and some sample code that I spent an evening on. Soon after we were in private dialog and hashed out a strategy to get SQRL onto his XF forums as quickly as possible. Steve decided it was best to abstract away most of SQRL and provide a very clean API to an add-on that I would be writing. More than a month went by and Steve was working on what is now called the SQRL Service Provider API.
Steve sent me a virtual machine with a working demo site and the SSP server installed and I started creating the add-on. I was determined to integrate the add-on as a connected account provider which would allow me to re-use many of the dialogs and forms used for registering, associating, disassociating, and so on. The only trouble was that XF expected all connected account providers to be using OAuth, which far from what SQRL is. I did however manage to override enough functionality to shoe-horn my way in and integrate SQRL as a peer to these other providers saving me a lot of design work.
After sending it over to Steve he let his newsgroup members pound on it which resulted in a few iterations to where we are now. It's been a few days and it is seemingly holding up. Steve is very happy with the result and gave me a shout-out on the podcast, you can skip to 1:52:00 if you don't want to watch it all:
You are welcome to peek at the source code of this add-on in my Git repository: