Login with PDF
Yesterday I saw this satire video on Reddit showcasing a web application that offers an extensive list of sign in connectors. I believe this is a response to the growing trend of offering many options to authenticate without requiring to sign up via e-mail.
I feel ashamed for laughing at the ‘Login with your mom’ button
Among many other connectors, there is one that for me stands as the funniest one: login with pdf. But if your product manager asked you to implement it, how would this connector work in reality?
ChatGPT opinion
Initially I couldn’t wrap my head around on how you would be able to authenticate with a PDF, it just seems dumb. I thought of searching Google for ideas on how this would work, but… there’s no way a sane person would make this question on StackOverflow.
So I asked help from our friendly clanker over OpenAI on this case. Here’s how ChatGPT imagined it to work:
1. User Chooses Login with PDF
- On the app’s login screen, alongside “Login with Google” and “Login with GitHub,” there’s a “Login with PDF” button.
2. Authorization Request
- Clicking it triggers the familiar OAuth 2.0 redirect, but instead of taking you to a web login form, you’re asked to upload a PDF document from your device.
3. The PDF as Identity Token
- The PDF must be digitally signed by a recognized PDF Identity Provider (Adobe IDP, FoxitAuth, or even LibreOfficeID).
- The PDF’s metadata contains claims (name, email, expiration date) similar to a JWT.
Example: inside the PDF, there’s an embedded /OAuthIdentity object with Base64-encoded claims.
4. Token Exchange
- The PDF Identity Provider validates the signature.
- It extracts the identity claims from the PDF metadata.
- It issues an access token back to the app (over HTTPS, just like OAuth normally would).
5. Access Granted
- Your app now knows who you are because you’ve authenticated with a PDF.
Bonus: to renew your session, you just re-upload the PDF (or a newer “refresh PDF”).
It even offered me a flowchart to better convince the engineering team on how this a great idea:
Suddenly this connector didn’t seem like a crazy idea after all, and I think it’s not so hard to actually implement it. Attaching a verification code to a PDF is what most governments and hiring companies use to authenticate a person signature via PDF. The only issue is that the PDF could never be sent over plain text, otherwise a malicious actor could act on my behalf.
LLM hallucinations
… can be a great thing when something so dumb as login with pdf/calculator/potato hasn’t been widely researched. I think using chat based llm tools to take a quick dive into the unknown is a great and powerful resource we have available today.
Bonus: login with a potato
Curiosity got the best of me so I asked ChatGPT how most of these dumb connectors would work. Login with a potato is a very interesting one:
1. User Chooses Login with Potato
On the login screen: “Login with Potato”. You pick it because… why not?
2. Potato Registration / Claiming Identity
- First, you need a potato that’s registered with a Potato Identity Provider (PIP).
- Each potato has a unique biometric signature: texture, shape, eye pattern, maybe even soil composition.
- The potato can optionally have a QR code sticker for easier scanning.
3. Authorization Request
- The app redirects you to the Potato Identity Provider (like OAuth normally does).
- You scan your potato via camera, or place it on a “Potato Auth Pad” (special hardware).
4. Identity Verification
- The PIP checks the potato’s biometric signature against its database.
Optional: ask the potato a secret question, e.g., “What is your favorite fertilizer?”
5. Token Issuance
- Upon successful verification, the PIP issues an access token just like normal OAuth.
- The app now knows your identity because your potato is you (or… represents you).
6. Access Granted
- The app grants access.
- Some apps may display a little potato avatar to remind you who’s logged in.