Using LDS Account to authenticate users in third party app

Church Account is the primary user account (user name and password) for accessing online Church resources. Church Account was formerly known as LDS Account. This forum is a space to discuss all things related to Church Accounts (registration, account recovery, user experience, vulnerabilities, etc.).
neptunecentury
New Member
Posts: 6
Joined: Fri Feb 22, 2013 7:01 pm

Using LDS Account to authenticate users in third party app

#1

Post by neptunecentury »

Hi,
I'm developing an app/website that requires authentication for local church leaders. I would really rather not force members to have to create an account through my own application, but would like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?

Reasons for this are:
1. It is more secure as I am not storing their sensitive passwords in my system
2. It is convenient for the member to use an existing account vs creating a new account for my app
3. I don't really want to authenticate with other services like facebook, etc

If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

Thanks!
eblood66
Senior Member
Posts: 3907
Joined: Mon Sep 24, 2007 9:17 am
Location: Cumming, GA, USA

Re: Using LDS Account to authenticate users in third party a

#2

Post by eblood66 »

neptunecentury wrote: If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

Thanks!
By policy (not necessarily technical limitations) only official church applications can authenticate with and use LDS Account.

I don't have any inside knowledge but the church is very conservative about privacy issues and I doubt that policy will ever change.
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

Re: Using LDS Account to authenticate users in third party a

#3

Post by aebrown »

neptunecentury wrote:I would ... like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?
...
If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?
No. In the wiki article Third-party API for gospel content, we read:
... third-party developers are restricted from using LDS Account, which could give access to membership data. This restriction protects the privacy of membership data (a legal requirement in many countries) and safeguards how membership data is viewed and used.
Although that wiki article is dealing with a different context, the basic principle still holds that the LDS Account can be used only by official Church applications.
robartsd
Member
Posts: 69
Joined: Sun Apr 04, 2010 9:07 pm
Location: United States, California

Re: Using LDS Account to authenticate users in third party a

#4

Post by robartsd »

Technologies exsist which could be used to allow third parties to use LDS Account single sign on to authenticate users (OpenID) and access a user's data stored on church servers (OAuth) without violating any privacy laws. In the case of OpenID, the response only confirms that the user is authenticated to that particular ID. In the case of OAuth, the user would grant (and could revoke) authorization to read and/or write certain types of data. The key to these technologies is that authentication and authorization occur on the provider's site not on the consumer's site. Unfortunately these technologies are not widely used (To use mint.com with most of my financial accounts, I have to trust it with my passwords; however, on of my accounts has a method similar to OAuth allowing me to grant third party read only access to mint.com without sharing my password). As much as I'd like it, I don't see the church being a pioneer in this type of open development - generally the church is at least as conservative as the majority of financial institutions.
neptunecentury
New Member
Posts: 6
Joined: Fri Feb 22, 2013 7:01 pm

Re: Using LDS Account to authenticate users in third party a

#5

Post by neptunecentury »

I suppose if its not possible to use LDS Account, I guess the next best thing would be some other Social Media login, but I may just opt to have users register for an account on my app as the idea of using "facebook" for an LDS application just doesn't seem right.

Anyway, thanks for the replies.
robartsd
Member
Posts: 69
Joined: Sun Apr 04, 2010 9:07 pm
Location: United States, California

Re: Using LDS Account to authenticate users in third party a

#6

Post by robartsd »

I would suggest offering OpenID sign on - the user chooses their authentication server (Google, Yahoo, Wordpress, and many more proivde OpenID to thier users), but providing your own authentication option (with or without becoming an OpenID provider). The biggest challenge to users wanting to use OpenID is that there are too many sites that want to provide, but not consume, OpenID.
neptunecentury
New Member
Posts: 6
Joined: Fri Feb 22, 2013 7:01 pm

Re: Using LDS Account to authenticate users in third party a

#7

Post by neptunecentury »

Yes, I think I will consider it. I do like the idea. However, I have no experience with OpenID, but that's what google is for
User avatar
sbradshaw
Community Moderators
Posts: 6245
Joined: Mon Sep 26, 2011 9:42 pm
Location: Utah
Contact:

Re: Using LDS Account to authenticate users in third party a

#8

Post by sbradshaw »

One practical reason for the limitation on using OAuth in LDS Accounts, with the way it's currently set up, is it seems that a user can get more information through their LDS Account than what's actually displayed to them. For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server. So, a third-party app could circumvent the policies of who can see what data and show everything to the user.
Samuel Bradshaw • If you desire to serve God, you are called to the work.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Using LDS Account to authenticate users in third party a

#9

Post by russellhltn »

With the roll out of tithing on-line, the ante has been upped on what the account can access. If anyone thinks I'd be willing to type a LDS Account login into a non-church owned site, they are sadly mistaken.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Using LDS Account to authenticate users in third party a

#10

Post by russellhltn »

sbradshaw wrote:For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server.
Maybe the LDS Tools is a quick interim fix. Because if true that sure smells of bad security.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Church Account”