BOINC / boinc

Open-source software for volunteer computing and grid computing.
https://boinc.berkeley.edu
GNU Lesser General Public License v3.0
2.02k stars 446 forks source link

Eliminate use of authenticator in post-account creation #4085

Open TheAspens opened 3 years ago

TheAspens commented 3 years ago

The client creates an account by calling the create_account.php RPC. If this call is successful, the server returns the authenticator. The client then uses the authenticator in a scheduler request to register the client under the account and it uses the authenticator to allow the user to further set up their account by calling the account_finish.php RPC.

The create_account.php should be modified to return the authenticator but also return a one-time login token (see technical implementation details). The account_finish.php will be modified so that the value of auth is assumed to be a one-time login token and it will check to see if it is a valid unused one-time login token. Note that the website will not be backwards compatible with older clients. Users of older clients will be asked to login to finish setting up their account. This is necessary in order to allow updated websites to benefit from the improved security.

The client will be modified to use the one-time login token, if found, otherwise it will use the authenticator when it creates the link to account_finish.php. This will allow the client to be backwards compatible with BOINC projects that have not yet updated.

More information at https://boinc.berkeley.edu/trac/wiki/Reduce_usage_of_authenticator

This is one part of the solution to #2371

nicolas17 commented 3 years ago

I think it would be interesting to use OAuth2 for everything, including the client doing scheduler RPCs(!). Instead of the client giving the browser a one-time code to go to account_finish, the browser would give the client a token to do scheduler RPCs, after the user created the account in the browser.

That approach would need quite a bit of thought into backwards compatibility though...