Page 1 of 3

Using LDS Account to authenticate users in third party app

Posted: Fri May 15, 2015 7:31 am
by neptunecentury
Hi,
I'm developing an app/website that requires authentication for local church leaders. I would really rather not force members to have to create an account through my own application, but would like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?

Reasons for this are:
1. It is more secure as I am not storing their sensitive passwords in my system
2. It is convenient for the member to use an existing account vs creating a new account for my app
3. I don't really want to authenticate with other services like facebook, etc

If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

Thanks!

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 7:51 am
by eblood66
neptunecentury wrote:If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

Thanks!

By policy (not necessarily technical limitations) only official church applications can authenticate with and use LDS Account.

I don't have any inside knowledge but the church is very conservative about privacy issues and I doubt that policy will ever change.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 8:03 am
by aebrown
neptunecentury wrote:I would ... like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?
...
If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?


No. In the wiki article Third-party API for gospel content, we read:
... third-party developers are restricted from using LDS Account, which could give access to membership data. This restriction protects the privacy of membership data (a legal requirement in many countries) and safeguards how membership data is viewed and used.


Although that wiki article is dealing with a different context, the basic principle still holds that the LDS Account can be used only by official Church applications.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 8:23 am
by robartsd
Technologies exsist which could be used to allow third parties to use LDS Account single sign on to authenticate users (OpenID) and access a user's data stored on church servers (OAuth) without violating any privacy laws. In the case of OpenID, the response only confirms that the user is authenticated to that particular ID. In the case of OAuth, the user would grant (and could revoke) authorization to read and/or write certain types of data. The key to these technologies is that authentication and authorization occur on the provider's site not on the consumer's site. Unfortunately these technologies are not widely used (To use mint.com with most of my financial accounts, I have to trust it with my passwords; however, on of my accounts has a method similar to OAuth allowing me to grant third party read only access to mint.com without sharing my password). As much as I'd like it, I don't see the church being a pioneer in this type of open development - generally the church is at least as conservative as the majority of financial institutions.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 8:47 am
by neptunecentury
I suppose if its not possible to use LDS Account, I guess the next best thing would be some other Social Media login, but I may just opt to have users register for an account on my app as the idea of using "facebook" for an LDS application just doesn't seem right.

Anyway, thanks for the replies.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 9:00 am
by robartsd
I would suggest offering OpenID sign on - the user chooses their authentication server (Google, Yahoo, Wordpress, and many more proivde OpenID to thier users), but providing your own authentication option (with or without becoming an OpenID provider). The biggest challenge to users wanting to use OpenID is that there are too many sites that want to provide, but not consume, OpenID.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 9:04 am
by neptunecentury
Yes, I think I will consider it. I do like the idea. However, I have no experience with OpenID, but that's what google is for

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 2:01 pm
by sbradshaw
One practical reason for the limitation on using OAuth in LDS Accounts, with the way it's currently set up, is it seems that a user can get more information through their LDS Account than what's actually displayed to them. For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server. So, a third-party app could circumvent the policies of who can see what data and show everything to the user.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 3:05 pm
by russellhltn
With the roll out of tithing on-line, the ante has been upped on what the account can access. If anyone thinks I'd be willing to type a LDS Account login into a non-church owned site, they are sadly mistaken.

Re: Using LDS Account to authenticate users in third party a

Posted: Fri May 15, 2015 3:07 pm
by russellhltn
sbradshaw wrote:For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server.


Maybe the LDS Tools is a quick interim fix. Because if true that sure smells of bad security.