I ran into a site that is running MovableType 3.0 (beta1) with TypeKey support.
There is no public protocol doc yet (afaik), but here's a quick analysis attempt.
Let's start with some shameless plugs to my previous posts on web authentication, for some background on existing solutions. "Microsoft Passport 101" (a detailled explanation of Microsoft's protocol) and "Comment authentication" (an investigation on alternative protocols).
Now, let's dive into the details of TypeKey (which seems similar in design to Passport, but with less features/options and is more open).
Whenever you register an account, you can also enlist your blog. In that case a blog token is provided to you, for the blog urls you declare. It looks like "LjRd2DpifL51sB0iFeYT".
This token is passed in the authentication request (as the t parameter) along with return url (_return). The return url is checked against the blog urls you enlisted for.
So a login url follows this format (notice that the url is static for a given blog): https://www.typekey.com/t/typekey/login?t=<blog token>&_return=<return url>
The return request contains the time (epoch format) of the authentication (ts parameter), the TypeKey login name (name), some kind of hash of the email (email), the display name (nick) and a secure signature (sig).
So, after you authenticate with TypeKey, you are returned to a url like: <return url>&ts=<timestamp>&email=<hashed email>&name=<name>&nick=<display name>&sig=<crypto signature>
Real parameters would look like:
A SHA-1 hash is used for the email (like FOAF). I confirmed it by computing the SHA-1 hash for mailto:dumky at ifrance.com, and then also found out the url for my TypeKey FOAF file.
I'm not sure how the query string is signed yet, probably a PGP type signature. The blog token is probably involved, so that signatures can't be re-used from sites to sites.
If need_email=1 is part of the auth request, a consent checkbox is shown in the login prompt. In that case, a cleartext version of the email is returned instead of just a hash.
Idly.org uses this option.
Also, the TypeKey site will set a cookie that looks like:
Tp_commenter0 = b75783e8ef6b9433e014aed547fa028d
Since the TypeKey authentication occurs over SSL, I'm not sure why they didn't use a secure cookie.
Also, this cookie is set in the same domain all the UI is displayed (for account management), which might be a risk in terms of script injection.
For example, the Profile currently is vulnerable to a script injection (I notified the SixApart team as I did with similar problems with MovableType <2.64 and used my profile page as a demo), but lukily it resides in a separate domain profile.typekey.com instead of www.typekey.com.
Back onto the blog site two cookies are set, that look like:
Tp_commenter = PyL52XkB98cxSo2sE%3D%3AUvzQdLVyw38%20qJBIjKz4lj1HkDY%3D
Commenter_name = Julien%20Couvreur%20%28Dumky%29
If you hit the mt-comments.cgi on the blog site, with logout=1, you'll get logged out of the blog and bounced on the TypeKey logout url (https://www.typekey.com/t/typekey/logout?&_return=<return url>).
I'm not sure how the sign-out works when you logged into multiple sites, it might just not be supported.
Posted by Julien on April 23, 2004. Permalink