Continuing, Ralle...
I'm not a PHP programmer, though, like most people who have coded in many languages, writing a small bit of code (or even eventually a large amount) is mostly a matter of learning the specifics of the target language and keeping a language reference handy. However... writing ==SECURE== code in any not-well-understood language is another thing entirely.
Also, I have existing very mature SQRL server-side code running at GRC (written in MASM, of course! <g>)
And I'm a bit of a perfectionist. Little things that could be better, but aren't, annoy me. In this case, the SQRL nonce (which we call a nut) only needs to be long enough to prevent guessing. It needs to be one-time-only and guaranteed never to repeat. And size of a QR code is not linearly related to the size of its content... it jumps in size. So, being me, I chose the SQRL nut length which was both long enough to be secure, and also the longest that could be encoded in a given size QR code before it "jumps" to a larger size. The PHP code is (needlessly) producing an insanely long nut, which produces an unnecessarily large QR code. Yeah, I know, it doesn't matter... but it does to me.
Also, [I just looked and] it doesn't appear as though that PHP library is yet a full implementation of the SQRL server-side protocol. It appears to be lacking a number of crucial features, such as support for SQRL's identity lock protocol. Naturally, GRC's use of SQRL needs to be complete.
So my plan for the SQRL forums has been to keep nearly all of the heavy lifting over in MASM where I am not only more comfortable than anywhere else, but also where I already have well pounded on server-side code. This is going to be a minimal ISAPI module which anyone will be able to use. As you many know, ISAPI is natively Microsoft/IIS, but it is also supported by Apache and a few other lesser known servers.
(Are you able to run an ISAPI module? If so, that would allow you to have a running instance of what I'm doing. Though, if not, since I'm planning to implement this as an HTTP query/response interface... i.e. as a RESTful API service... we could probably arrange for remote access to GRC's API.)
(And also note that having a simple and clean SQRL RESTful API service would be useful all on its own.
At the moment I have the following server-side functions supported, which you can test and experiment with for yourself:
This URL returns a guaranteed globally unique SQRL nut nonce:
https://sqrl.grc.com/sqrl/nut.txt
This URL returns a QR code containing a SQRL auth trigger:
https://sqrl.grc.com/sqrl?qr=xitltrdtWh54rDAuq630RC0.png
(Where 'xitltrdtWh54rDAuq630RC0' is one of the nut nonces, for example returned by the query to /nut.txt)
And though they don't yet do anything, these URLs will soon:
... trigger a SQRL authentication:
https://sqrl.grc.com/sqrl?nut=xitltrdtWh54rDAuq630RC0
... return a value that changes when the page should be updated to show the user's logged in state:
https://sqrl.grc.com/sqrl/sync.txt
________________________________________________________________
I'm very much a one step at a time sort of guy, so I haven't yet allowed myself to think any further about the XenForo integration since I've known I would work it out once I get there. That said...
But a SQRL user is identified by a 256-bit public key which is base64url-encoded for interchange. And their SQRL identity on the server also requires the server to store another pair of 256-bit values for the so-called "Identity Lock" which supports a number of cool and unique features.
SQRL provides a means for the user to securely "re-key" their identity using a SQRL client. This might be needed if, for any reason, they were to lose confidence in the confidentiality of their current SQRL identity. From our standpoint with XenForo, this means that a given user's 256-bit SQRL identity might change at any time... yet they need to remain the same user to XenForo. So the architectural question is: Does XenForo identity them by their 256-bit SQRL identity (in the Connected Identities sense) -- which we =would= need to be able to change for their account in the event of re-keying?... OR should their SQRL identity be retained in the ISAPI database where it would be linked to their permanent XenForo account ID? I'm fine with it either way, but storing their XenForo identity in the ISAPI database would mean that we don't need to edit the XenForo database.
I also have not yet faced the question of step-by-step XenForo-side activities... but I =do= think that it probably (and wonderfully) very closely mimics the existing flow of OAuth Connected Accounts support... although, again, I haven't yet looked into that deeply.
________________________________________________________________
Now that I've got the "Login with SQRL" button and QR code stuff running and inplace (which required a bunch of infrastructure) next up for me is to port the rest of GRC's existing SQRL server-side support over into the new SQRL ISAPI module. (I forgot to mention that at the moment GRC's SQRL code is hung onto the existing monolithic "NetEngine" ISAPI which runs all of my server extensions, ShieldsUP!, DNS Spoofability, eCommerce, etc. So I'm now creating a stand-alone SQRL ISAPI for the forums (which runs on a physically separate and isolated server).
I will make time to digest the work you have done, but I first wanted to explain my thinking about where I am and where I think we're headed!
Thanks again for your help and support, Ralle!
