Ask HN: Will I be allowed to do this?

3 points by partisan ↗ HN
I had an idea that I am trying to vet and I have some major concerns.

While posting a comment on a news article the other day, I chose to use twitter authentication to log in. Of course, the newspaper website wanted to have access to my tweets, my followers, and the ability to post new tweets on my behalf, none of which I was comfortable giving up just to post on a random news article on a random site. I imagine that this prevents a lot of other people from posting as well.

I am considering creating a new authentication provider that will allow users to authenticate via their twitter, facebook, or google+ accounts, while not allowing any of the invasion of privacy that comes with using the standard OAuth providers.

My concern is that this will be deemed as some form of competition by the respective services and they can simple cut me off and kill my authentication service.

Your advice is greatly appreciated.

6 comments

[ 3.9 ms ] story [ 29.5 ms ] thread
I think you will need to make a decision as to whether you are hoping to serve as a proxy login (you log into me with twitter ; i log into them on your behalf) or to have a separate standalone service that's clearly demarcated from the host publisher.

I believe you'll find the former is challenging. It would be against the TOS of most authentication providers to do this as an arm's-length intermediary. I think you could do it as the contracted agent of the publisher (which implies a white-label approach). See, for example, the way JanRain works.

The best examples of the latter I can think of are Disqus, Echo, et al. You might want to check them out.

Greg,

Thanks for the reply. I was thinking to have a standalone service that is clearly demarcated from the host publisher. I wouldn't store passwords, I would simply serve as an authenticator for websites that would use the service as an alternative to the standard oauth provider from twitter or facebook, etc. The issue is that I would probably have an app on their ecosystem to facilitate the process.

BTW, brnr.me sounds like a great service.

I liked the idea of Mozilla Persona (https://www.mozilla.org/en-US/persona/), but that doesn't seem to be catching on.

I think you're on to something though, there are a lot of sites that want access to far too much, as if the developer cut-pasted all of the scopes they could find.

Thanks for the reply. Given that persona does not have traction then I would guess that the hard part would be getting sites to use it. I would expect that there would be high demand for a service like this, but perhaps privacy is not as important to some as to others?