Hacker News new | past | comments | ask | show | jobs | submit login

The autoresponder is more of a "This domain accept OAuth" and sends back the email body.

That way, the autoresponder doesn't need to know anything about the process nor does it authenticate the user.

It merely sends back a mail that portier can interprete as "Ok, I send an auth email there and this response means they want me to construct an oauth link to this domain"

it's stateless and only requires a rather simple autoresponder that can include email bodies.

Furthermore, portier can also verify the login link, so that replay attacks aren't feasible and the sender and link-owner must have matching emails.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact