Reputation: 39263
Google authentication, verify to skeptic
Google supports several identity verification flows for third parties:
Looking at OAuth, the cryptographic primitive is that I can connect using HTTPS and Google can assert to me the identity of the visitor.
This method does not allow me to prove to another skeptic that this certain person completed Google login. This is because HTTPS is plausible deniable.
Is there a different login mechanism for Google where I can prove to a third party that a certain person logged in?
Upvotes: 0
Views: 32
Answers (1)
Reputation: 39824
I'm not sure if plausible deniability in the cryptographic sense is applicable to HTTPS - if I understand it correctly you'd need specific support for multiple keys decoding the message in different ways for that, i.e. special software, not just HTTPS.
But regardless, Google authentication (and any other 3rd party identity provider service) fundamentally relies on the trust in the information coming from the identity provider.
If you don't consider the 3rd party identity provider supplied information good enough as proof for another skeptic then you won't be able to use any such identity provider service, you'd have to roll out your own authentication scheme.
Upvotes: 1
Related Questions
- How can I verify a Google authentication API access token?
- Google service account to verify API requests to node application on GCP
- Google Cloud OAuth API verification
- OAuth: Starting a Google Compute Instance from within Google App Engine
- how to verify Google ID-token?
- Asserting identity to Google APIs with App Engine development server
- Google App Engine OpenID Authentication
- Google App Engine Authentication
- OAuth in google app engine
- Google App Engine authentication using OAuth