Securing credentials passed to web service
- by Greg Smith
I'm attempting to design a single sign on system for use in a distributed architecture. Specifically, I must provide a way for a client website (that is, a website on a different domain/server/network) to allow users to register accounts on my central system.
So, when the user takes an action on a client website, and that action is deemed to require an account, the client will produce a page (on their site/domain) where the user can register for a new account by providing an email and password.
The client must then send this information to a web service, which will register the account and return some session token type value.
The client will need to hash the password before sending it across the wire, and the webservice will require https, but this doesn't feel like it's safe enough and I need some advice on how I can implement this in the most secure way possible.
A few other bits of relevant information:
Ideally we'd prefer not to share any code with the client
We've considered just redirecting the user to a secure page on the same server as the webservice, but this is likely to be rejected for non-technical reasons.
We almost certainaly need to salt the password before hashing and passing it over, but that requires the client to either a) generate the salt and communicate it to us, or b) come and ask us for the salt - both feel dirty.
Any help or advice is most appreciated.
