XAuth – Mozilla webappstore.sqlite

If you are wondering where Firefox stores the token from XAuth (all localStorage data), the answer is in webappstore.sqlite in your profile folder. The main idea of the XAuth is that the declared token will be accessible only from the XAuth.org domain and you don’t have the opportunity to see what exacly has been saved in your local storage.

I am an Explorer

I am always suspicious when I have to use an “Open Technology” from Google or other not so open vendors and I would like to see what EXACTLY is stored in My Computer.

AddOn

So let’s explore the webappstore.sqlite. I need this Addon for that. You can download it from here.

It looks very usable:
SQLite Manager

Just Click on Database > Connect Database and choose webappstore.sqlite from your profile folder.
After that choose Tables from the sidebar tree, and Browse and Search from the main Window.

Inside

Let’s see what is inside about XAuth:

scope: gro.htuax.:http:80 // this information will be accessible from xauth.org only, using http protocol only and via port 80 only
key: talkweb.eu
value: {“token”:”1″,”expire”:1275110205930,”extend”:[“talkweb.eu”]}

Everything looks fine for now !

Another example
if you want to see, what is stored from your domain in your local storage, you can use this script for that:

<html>
<head>
</head>
<body onLoad="doShowAll()">
<script language="javascript">
function doShowAll() {
var key = "";
var showme = "<tr><td>Local name</td><td>Local value</td></tr>\n";
var i=0;
for (i=0; i<=localStorage.length-1; i++) {
key = localStorage.key(i);
showme += "<tr><td>"+key+"</td>\n<td>"+localStorage.getItem(key)+"</td></tr>\n";
}
if (showme == "<tr><td>Local name</td><td>Local  value</td></tr>\n"") {
showme += "<tr><td><i>empty</i></td>\n<td><i>empty</i></td></tr>\n";
}
document.getElementById('showme').innerHTML = showme;
alert(localStorage.length);
}

</script>
<table id='showme'></table>
</body>
</html>

XAuth basics and an example.

What is XAuth?

XAuth is an open platform for extending authenticated user services across the web.

Participating services generate a browser token for each of their users. Publishers can then recognize when site visitors are logged in to those online services and present them with meaningful, relevant options.

Users can choose to authenticate directly from the publisher site and use the service to share, interact with friends, or participate in the site’s community. The XAuth Token can be anything, so services have the flexibility to define whatever level of access they choose.

How does it works

The main requirement for XAuth is you browser to support HTML5. XAuth essentially defines 3 different parties to the flow:

– Extenders are web services that a user is logged into that present some public API.
– Retrievers are web services that want to discover and consume one or more of the Extenders.
– XAuth.org is the final party. All communication of XAuth happens through an iframe and javascript This is just static hosting, all data is stored in the users browser.

Step 1: Enable

You can just put the following line into your website and it will be XAuth enabled:
<script type="text/javascript" src="http://xauth.org/xauth.js"></script>

Step 2:Become an Extender

Let’s create the token and let’s save it to our browser:

function doLogin(doneUrl) {
XAuth.extend({
token: "1", //set the token
expire: new Date().getTime() + 60*60*24*1000, // set the expire time
extend: ["talkweb.eu"], //allow this script to work only on your own domain
callback: location.replace(doneUrl)
});
}

Step 3:Become an Retriever

Let’s retrieve the token and show it on a web page :

function doRetrieve() {
XAuth.retrieve({
retrieve: ["talkweb.eu"],
callback: onRetrieve
});
}

function onRetrieve(data) {
var numTokens = 0;
var str = '';
if (data && data.tokens) {
for (var token in data.tokens) {
if (numTokens > 0) str += ', ';
str += token + ': ' + data.tokens[token].token;
numTokens++;
}
}

if (str == '') {
str = '(none)';
}
document.getElementById('login_status').innerHTML = str;
}

Step 4: Let’s put XAuth.org on the stage and show an example

Here it is >