Using LDS Account to authenticate users in third party app

LDS Account is the primary user account (user name and password) for accessing online Church resources. This forum is a space to discuss all things related to LDS Account (registration, account recovery, user experience, vulnerabilities, etc.).
neptunecentury
New Member
Posts: 6
Joined: Fri Feb 22, 2013 7:01 pm

Using LDS Account to authenticate users in third party app

Postby neptunecentury » Fri May 15, 2015 7:31 am

Hi,
I'm developing an app/website that requires authentication for local church leaders. I would really rather not force members to have to create an account through my own application, but would like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?

Reasons for this are:
1. It is more secure as I am not storing their sensitive passwords in my system
2. It is convenient for the member to use an existing account vs creating a new account for my app
3. I don't really want to authenticate with other services like facebook, etc

If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

Thanks!

eblood66
Senior Member
Posts: 2030
Joined: Mon Sep 24, 2007 8:17 am
Location: Cumming, GA, USA

Re: Using LDS Account to authenticate users in third party a

Postby eblood66 » Fri May 15, 2015 7:51 am

neptunecentury wrote:If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

Thanks!

By policy (not necessarily technical limitations) only official church applications can authenticate with and use LDS Account.

I don't have any inside knowledge but the church is very conservative about privacy issues and I doubt that policy will ever change.

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Re: Using LDS Account to authenticate users in third party a

Postby aebrown » Fri May 15, 2015 8:03 am

neptunecentury wrote:I would ... like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?
...
If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?


No. In the wiki article Third-party API for gospel content, we read:
... third-party developers are restricted from using LDS Account, which could give access to membership data. This restriction protects the privacy of membership data (a legal requirement in many countries) and safeguards how membership data is viewed and used.


Although that wiki article is dealing with a different context, the basic principle still holds that the LDS Account can be used only by official Church applications.

robartsd
Member
Posts: 66
Joined: Sun Apr 04, 2010 8:07 pm
Location: United States, California

Re: Using LDS Account to authenticate users in third party a

Postby robartsd » Fri May 15, 2015 8:23 am

Technologies exsist which could be used to allow third parties to use LDS Account single sign on to authenticate users (OpenID) and access a user's data stored on church servers (OAuth) without violating any privacy laws. In the case of OpenID, the response only confirms that the user is authenticated to that particular ID. In the case of OAuth, the user would grant (and could revoke) authorization to read and/or write certain types of data. The key to these technologies is that authentication and authorization occur on the provider's site not on the consumer's site. Unfortunately these technologies are not widely used (To use mint.com with most of my financial accounts, I have to trust it with my passwords; however, on of my accounts has a method similar to OAuth allowing me to grant third party read only access to mint.com without sharing my password). As much as I'd like it, I don't see the church being a pioneer in this type of open development - generally the church is at least as conservative as the majority of financial institutions.

neptunecentury
New Member
Posts: 6
Joined: Fri Feb 22, 2013 7:01 pm

Re: Using LDS Account to authenticate users in third party a

Postby neptunecentury » Fri May 15, 2015 8:47 am

I suppose if its not possible to use LDS Account, I guess the next best thing would be some other Social Media login, but I may just opt to have users register for an account on my app as the idea of using "facebook" for an LDS application just doesn't seem right.

Anyway, thanks for the replies.

robartsd
Member
Posts: 66
Joined: Sun Apr 04, 2010 8:07 pm
Location: United States, California

Re: Using LDS Account to authenticate users in third party a

Postby robartsd » Fri May 15, 2015 9:00 am

I would suggest offering OpenID sign on - the user chooses their authentication server (Google, Yahoo, Wordpress, and many more proivde OpenID to thier users), but providing your own authentication option (with or without becoming an OpenID provider). The biggest challenge to users wanting to use OpenID is that there are too many sites that want to provide, but not consume, OpenID.

neptunecentury
New Member
Posts: 6
Joined: Fri Feb 22, 2013 7:01 pm

Re: Using LDS Account to authenticate users in third party a

Postby neptunecentury » Fri May 15, 2015 9:04 am

Yes, I think I will consider it. I do like the idea. However, I have no experience with OpenID, but that's what google is for

User avatar
sbradshaw
Senior Member
Posts: 2494
Joined: Mon Sep 26, 2011 8:42 pm
Location: Provo, UT
Contact:

Re: Using LDS Account to authenticate users in third party a

Postby sbradshaw » Fri May 15, 2015 2:01 pm

One practical reason for the limitation on using OAuth in LDS Accounts, with the way it's currently set up, is it seems that a user can get more information through their LDS Account than what's actually displayed to them. For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server. So, a third-party app could circumvent the policies of who can see what data and show everything to the user.
Samuel Bradshaw • Interested in church apps and sites, creative recordkeeping, clerk support, YSA wards and stakes, LDS music, Vineyard at BYU, and online service.

russellhltn
Community Administrator
Posts: 20774
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Using LDS Account to authenticate users in third party a

Postby russellhltn » Fri May 15, 2015 3:05 pm

With the roll out of tithing on-line, the ante has been upped on what the account can access. If anyone thinks I'd be willing to type a LDS Account login into a non-church owned site, they are sadly mistaken.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

russellhltn
Community Administrator
Posts: 20774
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Using LDS Account to authenticate users in third party a

Postby russellhltn » Fri May 15, 2015 3:07 pm

sbradshaw wrote:For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server.


Maybe the LDS Tools is a quick interim fix. Because if true that sure smells of bad security.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “LDS Account”

Who is online

Users browsing this forum: No registered users and 1 guest