PKAuth: A Social Login Protocol for Unregistered Applications

Social login is a double-redirection mechanism whereby a Web application delegates user authentication to a social site and obtains access to the user’s social context. Today social login is implemented using OAuth, which requires registration of the application with the site for authentication of the application to the site and identification of the application to the user by the site. As social login gains in popularity, this may lead to a situation where every application must register with the dominant social site (currently Facebook) just to be able to authenticate its users, and the dominant social site has the power to disable any application on the Web by revoking its registration. PKAuth is a protocol for social login that does not require registration and yet provides strong application authentication and identification. It relies for that purpose on the public key infrastructure of the Web. The application submits its TLS certificate as client certificate in a TLS handshake, and the site identifies the application to the user by displaying the information contained in the certificate. Additional information about the application may be provided to the site by a holder-of-key assertion or by optional prior registration.