[OpenID] Very Rough Authentication API
Stephen Paul Weber
singpolyma at gmail.com
Thu Aug 2 17:25:23 UTC 2007
I've been reading more on oauth and found some of my own mistakes about it
:)
Your issues with my proposal are also valid. I hope to become active with
oauth and hopefully their list can address my remaining concerns :)
On 8/1/07, Brendan Taylor <whateley at gmail.com> wrote:
>
> On Mon, Jul 30, 2007 at 06:54:07PM -0400, Stephen Paul Weber wrote:
> > Hello lists!
> > I have been reading the specs on API auth systems such as OpenAuth,
> WSSE,
> > Facebook API, Google AuthSub, and others. Based on this reading and my
> > experiences implementing different auth systems, I have created a draft
> for
> > a generic third-party API auth system that will work fine with OpenID,
> > username/password, or anything else <
> > http://webos.singpolyma.net/Authentication/TEP>.
>
> I've been using OpenAuth (John Panzer's proposal[1], which is only
> loosely related to AOL's token-based system) to authenticate Atom
> Publishing Protocol requests using OpenID. It works very well (and I
> intend to get around to writing it up...), I'd just like to correct
> a couple of things you said about it on that page:
>
> - it doesn't require an API key
> - it doesn't use XML or JSON, all data is passed around in URL
> parameters
>
> I can see how being able to request sessions of a particular length
> would be useful, though and obviously an unstealable token is a good
> idea.
>
> As for your proposal:
>
> - how exactly are the client and server performing the Diffie-Hellman
> exchange?
>
> - unless i'm misunderstanding something, if the session key is being
> passed back to the client in cleartext, it's still stealable.
>
> - why does the client need to verify the session key? surely it's the
> service that needs to authenticate the client, rather than the other
> way around?
>
> 1: <
> http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/05/04/aol-openauth-and-atom-publishing-protocol/1440
> >
>
--
- Stephen Paul Weber, Amateur Writer
<http://www.awriterz.org>
MSN/GTalk/Jabber: singpolyma at gmail.com
ICQ/AIM: 103332966
BLOG: http://singpolyma.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070802/a67b3a57/attachment-0002.htm>
More information about the general
mailing list