Hacker News new | comments | show | ask | jobs | submit login
Tin Can: WebRTC that uses Persona to authenticate the callers to each other (tincan.im)
102 points by pwnna 1543 days ago | hide | past | web | 25 comments | favorite

Hi I'm the Mozilla intern that developed this and would really love some feedback! It's super-experimental right now, but feel free to try it out! I plan to release a more formal post later once some more bugs are squashed.

First of all, project looks great! Haven't had a chance to try it yet, but I've been impressed with other WebRTC demos, including http://vmux.co which is similar but uses Twitter to authenticate.

My slightly less positive feedback would be, it seems dodgy that it uses personatest.org instead of persona.org (and there's no website at www.personatest.org verifying its legitimacy). Kind of makes me anxious that I'm being phished. Any reason for this? You surely don't want people getting used to entering their Persona credentials at sites other than persona.org.

+1 about personatest.org. I felt also slightly uncomfortable about this and would like to know the reason :)

Otherwise it seems great :)

Persona required some changes to the code that have not yet landed in production i.e. on login.persona.org so we are using personatest.org for preliminary testing :)

ah ok, thanks for clarifying :)

This is a test persona server as the code here is still very early and not in the persona's master branch yet.

Same here, I'd feel more comfortable if it was something like test.persona.org.

Is there a source package for this? I already run my own Persona identity provider and wouldn't mind rolling this out for my family or for my workplace on servers I own

Looks like it's here: https://github.com/mozilla/tincan

Ah, nice. I always forget Mozilla has an active GH

Hm Persona (or browserid) is advertised as a decentralized solution to replace passwords with a centralized backup running on mozillas servers. To avoid exactly what happens to me now when I click on the "Sign in with email" button:


Error We are very sorry. The server is under extreme load!

Please close this window and try again.

    Action: Checking if Cookies are Enabled
    Now: Thu, 29 Aug 2013 06:03:47 GMT
    Network Info: GET: /wsapi/session_context

    Response Code - 503

    Response Text: server is too busy

    Error Type: server is too busy

just two days ago I tried to install everything so I could be my own browserid provider. Turns out that is not really easy (yet). Even if I got quite a bit and was able to run https://github.com/mozilla/browserid-certifier on my server, I never was able to talk to it via curl (the example they have just crashes it) or from a PHP script (I always got a 400 Bad Request). That is mostly because I didn't get how "pubkey - Object compatible with JWT public keys." should look like.

In the end, after a days work I gave up because it was already way after midnight. I hope in the future there will be single file-php-script which I could call from the HTML pages I need to provide which would do all the signing, etc. for one-person browserid providers like I want to become.

If you want to run your own IdP, look at this thing:


Also, the reason the server is busy is because Tin Can currently needs a forked version of Persona, so it's not running on the production infrastructure.

I built something to make this easier:


Just drop a JSON file on your server and you're your own identity provider.

Tried signing in with a gmail account and it wanted me to create a password. The gmail bridge seems to be functioning normally at persona.org, so what's the deal?

Tin Can is currently an experimental project. The login is currently using personatest, which is running an older version. I'm not too sure what the status is (I'm a friend of the author) right now with integrating this into persona.

(Identity team member here.) Yes, that's right. tincan is against running an ephemeral instance of Persona that doesn't do the account bridging, and doesn't share a database with the real persona.org. We do plan to integrate this with Persona. Also, while I think this is an awesome use case for Persona, and we do intend to land it in Firefox [1], it's worth noting that the proposed webrtc idp proxy architecture [2] is designed to work with any identity provider, not just Persona, and could be incorporated into any browser.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=878941 [2] https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-...

> We are sorry, but currently your browser is not supported.[1]

Really? Mozilla Persona doesn't support Firefox 23.0.1?

[1] https://webrtc.personatest.org/unsupported_dialog

EDIT: BrowserSupport.getNoSupportReason() == LOCALSTORAGE_DISABLED.

My friend/coworker who made this also made a video explaining how this works in more details: https://air.mozilla.org/intern-presentation-seys/

btw, this is why you should apply for an internship on the Identity team next summer :-)

This is also why people should hire Ryan Seys when he's done with university. Oops - I didn't just say that! Hopefully he'll be coming back to Mozilla :)

I approve of this :)

+100! It was awesome to be an intern!

Fails in firefox 23.0.1 for me (I see myself, but not the other person). Fails in chrome 29.0.1547.57 as well with similar results.

I am sorry! It is likely due to WebRTC's inability to connect to others when difficult NATs get in the way. TURN servers can mitigate this but Tin Can is not set up to use a TURN server (yet).

Not working for me.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact