nice! I did a very similar thing many years ago for the video game website giantbomb.com. they have a wiki and you get points for making contributions, but there's nothing to do with the points, they don't do anything. so I made my own website where you could predict review scores they would give upcoming games, and "gamble" (a copy of) your giantbomb.com account's wiki points, which were scraped once you logged in with pretty much the exact same system (putting a generated hash into your account profile).
I've always thought that this is a neat idea and similar methods could be used to make all kinds of cross-account connection stuff work on various websites. if you're making any kind of social site like this, allow users to have an editable public bio!Reply
Hey this is neat. Great work, I really like such weird ideas and it looks so professional!Reply
This site isn't really intended for high security. It doesn't matter that much since Hackernews login is only for this site and text posts here are not that valuable. If it was expanded in usage it could be disastrous.
The fact that the admins of this site do manual recovery for example is a terrible practice that no serious providers do. In fact the reason i'm 'AnotherGoodName' rather than my old AReallyGoodName is because i suffered account takeover on this site. The last three posts from AReallyGoodName promoting CoinRace are not me. The rest, including posts for my github projects (i still own my Github) are. https://news.ycombinator.com/item?id=16460663#16461236
I do not think for one second that Hackernews is ready to handle sign ins for things that need more security than this site itself.Reply
Interesting. However, it requires your trust to the service. So probably the identity user shall build and host such service by themselves.
Or a more trusty solution is to make the identity verifiable. Oh, did I say Keybase(the former one not acquired by Zoom)?Reply
I'm doing something very similar with my service: https://aytwit.com/thoughter
To the author, there is a simple trick you can pull in order to make the confirmation instantaneous and avoid caching. Have you figured it out? Let me know!
I also use a residential proxy service for all my profile requests, regardless of the identity provider. For some sites like Twitter, Facebook, etc. this is required, and for something like Hacker News it's simply future-proofing in case they decide to block scrapers at some point in the future.
I think it’s in poor taste to theme your site to look like HN. Feels a little close to phishing.Reply
Would be interesting to come up with a nice use case now with this.Reply
Great idea, I like the concept of using a code in your bio as the auth mechanism. As another poster replied, the api seems to be 500'ingReply
This is kind of reminiscent of how keybase verifies your ownership of social media accounts, domain names etc.Reply
it seems like if this is OAuth2, the protocol is not giving an audience specifier? That would mean that any token is as good as any other, and say, authenticating to evilsite.com, the site could use the token its granted to itself log onto another ‘login with HN’ website as the victim. Thats the usual issue with OAuth as loginReply
Question - are you affiliated with HN/YC at all? If not, I would be concerned about the colors/branding on the homepage being the same as HN/YC. I see the word “unofficially”, but it feels like there still might be some confusion of how it relates to YC’s software.Reply
Congrats on putting this together, it looks really cool.
One suggested feature that crossed my mind is to allow a minimum karma or account tenure requirement, in order to screen for throwaway accounts in cases where this mattered.Reply
Implementation idea: this method reminds me that we can post our public keys in bio, which means logging in could just mean signing a message that says "sign me in to %service%" and you wouldn't need to update your bio for each service you log in toReply
Nice. Its the equivalent of domain name verification using TXT records, but for HN profiles!Reply
It didn't appear to be working after a couple of attempts. Opening the console shows a lot of HTTP 500 responses coming from /api/v1/hn/poll/statusReply
Using forums as pseudonymous identity providers is a very powerful idea. It's essentially community federation. There is of course risk that your IDP chucks your account and you lose access to the other ones, but that's solvable with a recovery scheme.
Lightweight, low assurance credentials probably have the biggest growth future, as if universal high assurance credentials were really that commercially desirable, we'd already have them. These are a kind of affinity credential, which has a lot of optionality.Reply
Hi, I just wanted to say I have fond memories of using garrysmod.org to download add-ons for gmod back in 2008-2010 or so. They used the same authentication technique by giving the user a token to put on their Steam profile. I'm still wearing mine! As long as the entity in question (HN, Steam) isn't at risk of going bust, I think this is very practical. Best of luck.Reply
This is a smart implementation. I was worried it would be doing something uncouth like asking for your HN password or scraping some kind of unofficial API, but instead it gives you a token to embed in your public profile - so it's still scraping your profile page, but that feels like a very low-impact way of building this.
Suggestion: on the "Put the token below in your HackerNews Profile" page, rather than polling to see if the token has been added (which is a bit rude) add a button for "I have added this token to my profile" and only check once the user clicks that button.Reply
Wow, awesome! We've had a few startups ask for an HN integration at https://clerk.dev and we'll build this in ASAP.
It would be great if this could somehow verify whether an HN account has been part of YC cohort. A few requests we've received were with the hope of offering early access to YC founders-only before a public release.
Also, I love the OTP solution instead of asking for our HN passwords.Reply
Hah I had the idea to do this but not using OpenID (show a token on an account to prove you own it) - kudos to using standards!
The use case was stealing the userbase from a stagnant competitor allowing everyone to keep their existing usernames on my platform.Reply
This is awesome! I had this same idea just last week! Way to execute!Reply
"I'm a yak shaver by trade"
Do you have any sites that support the flow yet?Reply
Great idea. If you need to add a code to your bio, another idea is putting a public key in your HN bio and signing a nonce message using some browser extension like Metamask.Reply
This is a smart, safe implementation. On a side note: I wish HN offered 2FA.Reply
I wonder if this concept could (and perhaps should) be extended to be OAuth provider, that lets you in based on ability to control content under arbitrary URL. Maybe even standardized somehow by exposing meta tags in the HTML header.Reply
This is neat. How do you protect against a third party scanning HN profiles for codes and stealing them?Reply
>How does it work?
>LoginWithHN generates a unique one-time-use code that the user must then put into their profile within 5 minutes
I like the implementation, but shouldn't the code be something more explicit? Otherwise it might be easy to social engineer someone into putting in the code. Currently it's
>Put the token below in your HackerNews Profile ↗
I think Keybase does something more explicit, with something like "my keybase verification code is xyz"Reply
Blocked by both Firefox and my company due to certificate issue.Reply
Very cool, I was experimenting with a similar implementation of this a few years back. We were using a browser extension to handle the posting to the profile for you. However, we noticed that that profile was cached on the server so you would end up having to wait a long time to get a new version. I believe we tried appending a random query param to cache bust but the server didn't seem to care about that.
Have you ran into this? If so, how did you get around it?
[Edit] Here is a link to the now dead project :( http://web.archive.org/web/20161225152153/http://www.clap.ch... We briefly mention how it worked but didn't go into full detailReply
I can speak more freely on a forum if my logins are independent. If they are federated I have more to lose by saying the wrong thing. There are scarcely any values I can express without offending someone. For this purpose at least, it looks like a better strategy to have multiple isolated credentials. With a password manager the inconvenience almost disappears.Reply
I wanted to be able to make apps that do social login with HN so I hacked it together.
It works like you would expect -- generating a code you can put in your profile. For convenience, you can then use either TOTP or Email (if you specify both, it will default to using TOTP) to login thereafter to make things quicker (it can take up to a minute until profiles update).
I generally wait about 5 seconds between checks of a profile, hopefully this isn't too much additional strain (especially since I expect most people to switch to something faster after the first login).
[EDIT] Also it's night time (well morning I guess) where I am so... spinning up some more instances and I'm going to sleep.
[EDIT2] My email is plastered all over the site, but please feel free to email me any bug reports!
[EDIT3] If you'd like to register an app, please check out https://mailing-list.vadosware.io/subscription/form ! Ignore all the other mailing list stuff and get on the "early adopters" list for LoginWithHN! Or just email me in my HN profile, whichever!Reply
Victor, congratulations on the launch! I am one of the maintainers at https://github.com/ory/hydra and it makes me super happy to see that Ory Hydra is being used for such innovative projects :)
If you’re interested to join Ory, we’d be excited to have you! Drop Aeneas a line and he’ll take it from there: firstname.lastname@example.org
Hopefully we’ll talk soon :)Reply