On Tue, Mar 2, 2010 at 7:48 PM, Bill Moseley <moseley at hank.org> wrote: > A third-party partner site wants to provide access to my site but bypass my > account creation and login screens. They want to have a sign-up form on > *their* site and then provide access to my site. My site will still need an > account created for each user first, so that means I need an API to allow > the third party site to create an account and then provide a way to redirect > to my site bypassing the login page. > > I'm looking for ideas how to make this easy for the third-party site, yet be > secure. You actually do not need the user's password. You only need to be able to take the username and password supplied and submit that securely (encrypted) to the third party site for a yes/no verification, which you will have to trust. After challenging the third party site, you can discard the password submitted. We do something similar with our product where you can set up authentication via a WINS server or network share. We forward the credentials submitted by the user and allow the WINS server or operating system to perform the authentication. If it grants access based on those credentials and we have a username in our DB matching the windows username, then we will grant access as well. Sounds to me like you'd want to search your DB first and only ping the third party site if you don't find a match. -- Matt Warden Cincinnati, OH, USA http://mattwarden.com This email proudly and graciously contributes to entropy.