[OpenID] Very Rough Authentication API
Brendan Taylor
whateley at gmail.com
Wed Aug 1 23:30:14 UTC 2007
On Mon, Jul 30, 2007 at 06:54:07PM -0400, Stephen Paul Weber wrote:
> Hello lists!
> I have been reading the specs on API auth systems such as OpenAuth, WSSE,
> Facebook API, Google AuthSub, and others. Based on this reading and my
> experiences implementing different auth systems, I have created a draft for
> a generic third-party API auth system that will work fine with OpenID,
> username/password, or anything else <
> http://webos.singpolyma.net/Authentication/TEP>.
I've been using OpenAuth (John Panzer's proposal[1], which is only
loosely related to AOL's token-based system) to authenticate Atom
Publishing Protocol requests using OpenID. It works very well (and I
intend to get around to writing it up...), I'd just like to correct
a couple of things you said about it on that page:
- it doesn't require an API key
- it doesn't use XML or JSON, all data is passed around in URL
parameters
I can see how being able to request sessions of a particular length
would be useful, though and obviously an unstealable token is a good
idea.
As for your proposal:
- how exactly are the client and server performing the Diffie-Hellman
exchange?
- unless i'm misunderstanding something, if the session key is being
passed back to the client in cleartext, it's still stealable.
- why does the client need to verify the session key? surely it's the
service that needs to authenticate the client, rather than the other
way around?
1: <http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/05/04/aol-openauth-and-atom-publishing-protocol/1440>
More information about the general
mailing list