Choose your language: English, 日本語(Japanese), or use the Google translation:
What is this?
An add-on for the Mozilla Firefox or for the Google Chrome. An ingredient of Privacy-Protected logins or payments.
This add-on checks each page to have "A" tags or "INPUT hidden" tags having "pp-authorizer" class and prompts to move to their links. Using in the middle of OAuth makes it more secure.
Where can you get it?
For the Firefox, from a page of the AMO (Mozilla Add-ons). For the Chrome, from a page of the Chrome Web Store.
I made them in accordance with the Web Extension standard which is the standard of browser extension. The number of supported browsers should increase in the future.
Problems of anonymous authentication
By allowing authentication providers to authenticate other Internet shops or bulletin board sites, it is possible to reduce the privacy information that Internet shops or bulletin board sites must keep. It is an advantage that users can use Internet stores or bulletin boards even with lower reliability. This can realize "anonymous login (privacy protected login)" or "anonymous payment (privacy protected payment)".
At this time, processing needs to flow from the bulletin board etc. to the authentication provider, but there is a danger of impersonation in redirecting from a site that must be less reliable to a more reliable site.
In order to prevent this impersonation, protocol should not permit automatic redirection from a site of lower reliability to a site of higher reliability, and if the site of lower reliability desires manual redirection, a message that indicates that effect should be displayed on the page, and the remaining necessity is only to have a bookmarklet or add-on that follows the link after checking that the link included in the page is correct.
Such an add-on is this PP Authorizer.
Difficulty of introducing the PP Authorizer
OAuth is an implementation example of such anonymous authentication, and the OAuth has the problem pointed out above. You can use PP Authorizer to solve this problem, but for this you need to change the site to stop automatic redirection from a site of lower reliability to a site of heigher reliability.
In an environment where PP Authorizer can not be used, you can urge users to use bookmarklets, but basically it is a change that detracts from the convenience of users, so the introduction hurdle is considered to be high. The use of PP Authorizer may be limited to experimental introduction within organizations like enterprises. The operating principle of PP Authorizer is very simple, but I am sorry that it is difficult to introduce it.
However, the author of this add-on wishes that such functions are installed as standard on browsers, and that all sites stop the automatic redirection as described above. This add-on includes Twitter and Hatena as authentication providers from the beginning, and other authorities ... such as bank associations ... can donate much donations to browser developers so that their authentication provider information will be included from the beginning. The author is dreaming that browser developers acquire abundant development funds thereby.
Registering an authentication provider
Registration of an authentication provider is done by reading the "Optioins" screen of the add-on or the .ppauth.js file placed on the net.
The information necessary for the authentication provider is two, one is the name of the authentication provider, the other is the URL used for authentication by the authentication provider, and as the further information, the data URL of the icon which is added in front of the name can be registered. (Exceptionally, for registration on the "Options" screen, you can specify an icon bundled in the add-on package instead of a data URL.)
When a URL is checked, it is basically a forward match, but the following character must be a "/", "?" or "&;amp". For example, when the URL is "https://example.com/oauth", it matches "https: //example.com/oauth/XXXX" or "https://example.com/oauth?XXX=XXX".
When JSON format files with the extension .ppauth.js on the net are loaded in the browser, the PP Authorizer asks if you want to install the authentication provider information. (Note that the extension must be .ppauth.js instead of .ppauth.json, because of restrictions of the Firefox.) .ppauth.js file is a JSON file consisting of name, url, and iconUrl (optional) like this:
{ "name": "An Example Provider", "url": "http://example.com/oauth", "iconUrl": "data:application/ico;XXXX_VERY_LONG_URL" }
Behavior of the PP Authorizer
Although you do not prompt users to automatically redirect to an authentication provider, you should display a page that contains a link to redirect manually. The "A" tag of that link should have the "pp-authorizer" class. For example, as follows:
.... <a href="https://example.com/oauth?key=XXXX" class="pp-authorizer">Click this link to redirect to the authority.</a> ....
Sometimes you may want to implement the link with buttons instead of "A" tags. In that case, use the "INPUT hidden" tag with the "pp-authorizer" class. For example, as follows:
.... <input type="hidden" value="https://example.com/oauth?key=XXXX" class="pp-authorizer" /> ....
It seems to be a natural implementation to indicate the link by "LINK" tags or "A" tags with the rel="pp-authorizer" attribute. It is very easy to implement like that. However, since the HTML 5 standard does not allow free extension of the "rel" attribute, the current implementation was chosen.
The PP Authorizer checks all pages visited by the user, and informs by the pageAction icon displayed in the address-bar or by an notification, if there exist "A" tags or "INPUT hidden" tags having the "pp-authorizer" class. Clicking on the icon will display what is currently available for the registered authentication providers and clicking on it will redirect to the authentication provider.
Interaction with the PP Interrupter
There will be no page that supports the PP Authorizer for the time being. Then what should we do? You can use the PP Interrupter which realizes similar operation in a point that you have to click on an icon in the address bar before authentication.
The PP Interrupter is a general purpose add-on that temporarily blocks access to specified urls and releases the block by clicking the icon in the address bar.
What we really want to do is to prohibit automatic redirection to malicious sites. However, it is difficult to judge whether it leads to a malicious site. Therefore, with the idea of reversal, we habituate ourselves to temporarily block access to a healthy site (authentication provider) which is easy to judge, so that by not having a block which we must have it is detected to be guided by a fraudulent site. The PP Interrupter can be used for that purpose.
The PP Interrupter also blocks access other than automatic redirect. The PP Authorizer and the PP Interrupter are interacted not to block access by the PP Interrupter when the popup is clicked on the PP Authorizer. If it is blocked in that case, it may have mistakenly deleted the PP Authorizer from the item of "Allowing Extensions" on the PP Interrupter "Options" screen. If so, you can click the "New Extension" button on that "Options", enter the next data and save it.
name: PP Authorizer extension ID: {783dadb1-a4ec-46e7-a6de-26432b3393c2}
If you want to make the URLs blocked by the PP Interrupter authorities (authentication providers) of the PP Authorizer, you can click "Add from PP Authorizer" button on the PP Interrupter's "Options" screen.
Even without using the PP Interrupter, it is better to have a future in the world that access is stoppped on the page that should use PP Authorizer before authentication. The PP Interrupter is a response to reality, but the PP Authorizer is an investment to the future. Of course, the PP Authorizer works even without the PP Interrupter.
Authorities
This shows default authorities (authentication providers) with ".ppauth.js" file. When deleting the default authorities, you can register them from here. However, in that case, you can normally use the "Add Defaults" button on the "Options" screen. Since the default authorities differs according to your locale, it may be necessary to register them from here by hand.
twitter_oauth.ppauth.js | ||
Hatena | hatena_oauth.ppauth.js | locale: ja, en |
I have not gotten any donations especially from Twitter or Hatena, but have initially registered them without notice.
If the default authorities increases when updating the version, they will be added as much as they are added each time.
This add-on is experimental
Although there is a dream as I wrote above, this add-on remains at the moment only experimental. Beyond the difficulty of introduction, we are grateful to the users who use it. Even if it is not used, it is appreciated even if you are interested in this add-on and try to know the problems.
Because the author himself does not belong to the organization in particular, he doesn't have the opportunity to experiment this add-on. Therefore, updating this add-on is expected to be prone to stagnation. I want you to forgive me.
Opinions and requests are accepted on one page of the author's blog. It is a Japanese site, but you can comment in English. Because it is an individual site, there must be many difficulties, I think. I need your tolerance.
(This English page has been made of sequentially modified paragraphs of the translated ones by the Google translation of the Japanese page.)
License
The author is a Japanese.
I intended this program to be public-domain, but you can treat this program under the (new) BSD-License or under the Artistic License, if it is convenient for you.
Within three months after the release of this program, I especially admit responsibility of efforts for rational requests of correction to this program.
I often have bouts of schizophrenia, but I believe that my intention is legitimately fulfilled.
(On the Mozilla's distribution page, the BSD License has been chosen for the sake of clarity, but the license can be loosened as above if you like so.)