• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Social distancing? Try a better way to work remotely on your online files. Dokkio, a new product from PBworks, can help your team find, organize, and collaborate on your Drive, Gmail, Dropbox, Box, and Slack files. Sign up for free.



Page history last edited by Chris Messina 12 years, 8 months ago

Meeting 4/4/2007


Larry, Blaine, Chris, Tara, Britt, Jon (jm3), Alex, Jesse


  • Blaine looked at existing patterns in auth schemes... GAuth's is weird
  • want to expose APIs to users... OpenID says yes we know that user, but doesn't say you can act on behalf of that user...
  • 3 major implementations... we need our one way of doing it that isn't digest authentication
  • app dev registers an application w/ a service; you get your apikey and secret key; get auth header by getting token for user by going to auth page... such and such web app wants to do something w/ your account -- ok i'll allow it -- app gets token and stuff gets hashed together and that becomes secondary password that user can revoke at any time
  • app key, secret, url, user token, time stamp and nonce -- everything but secret; on server side, hash that against secret... then authenticate access
  • nonce is there to prevent reply attacks
  • nonce vs timestamp; w/ nonce you get time synchronization... so you can say timestamp must be within certain timeframe of server...
  • standards for nonces? openid nonces are 32-bit...
  • goal is to come out w/ consensus in code
  • alex: std implementation in many languages is key;
  • need a spec that easy to understand; simple, secure, write easy to understand clients in
  • jesse: timestamp is helpful for reply, and timestamp + nonce = timestamp; blaine: question is granualarity of timestamp;
  • look at kerberos, facebook auth
  • fundamental problem: ignore delayed/replay attacks? force people to check client side clock?
  • don't need timestamp; do need request body/params to be signed and we need a nonce
  • generic API says not a counter
  • versioning in auth URL?
  • how to you pass parameters
    • standard http headers
      • bbauth and openid uses this
    • flickr uses getParams (easier for developer)
      • problem is that whole world can see what you're doing
    • authHeader... that lets you send auth header in http headers... but with fall-back to post/get (optional) ... treated the same .. http auth header is there to make spec look nice
      • easier for apache handler to use headers than params...
      • chumby doesn't let you modify auth headers
  • ideal http headers, 2nd: post params; 3rd, getParams
    • header... authorization: OpenAuth, version: X.XX, pass default signing algorithm (?)
  • token revokes themselves...
  • single sign off...
  • manage all your services from one extension...
  • closed wiki, logo, webpages...
  • review with commerce net
  • review with ian





  • interface for widgets/apps
  • handling errors

Comments (0)

You don't have permission to comment on this page.