This wiki is no longer active and is left here for historical purposes. Please visit for up-to-date information.


Page history last edited by Chris Messina 10 years, 4 months ago

Meeting 4/4/2007


Larry, Blaine, Chris, Tara, Britt, Jon (jm3), Alex, Jesse


  • Blaine looked at existing patterns in auth schemes... GAuth's is weird
  • want to expose APIs to users... OpenID says yes we know that user, but doesn't say you can act on behalf of that user...
  • 3 major implementations... we need our one way of doing it that isn't digest authentication
  • app dev registers an application w/ a service; you get your apikey and secret key; get auth header by getting token for user by going to auth page... such and such web app wants to do something w/ your account -- ok i'll allow it -- app gets token and stuff gets hashed together and that becomes secondary password that user can revoke at any time
  • app key, secret, url, user token, time stamp and nonce -- everything but secret; on server side, hash that against secret... then authenticate access
  • nonce is there to prevent reply attacks
  • nonce vs timestamp; w/ nonce you get time synchronization... so you can say timestamp must be within certain timeframe of server...
  • standards for nonces? openid nonces are 32-bit...
  • goal is to come out w/ consensus in code
  • alex: std implementation in many languages is key;
  • need a spec that easy to understand; simple, secure, write easy to understand clients in
  • jesse: timestamp is helpful for reply, and timestamp + nonce = timestamp; blaine: question is granualarity of timestamp;
  • look at kerberos, facebook auth
  • fundamental problem: ignore delayed/replay attacks? force people to check client side clock?
  • don't need timestamp; do need request body/params to be signed and we need a nonce
  • generic API says not a counter
  • versioning in auth URL?
  • how to you pass parameters
    • standard http headers
      • bbauth and openid uses this
    • flickr uses getParams (easier for developer)
      • problem is that whole world can see what you're doing
    • authHeader... that lets you send auth header in http headers... but with fall-back to post/get (optional) ... treated the same .. http auth header is there to make spec look nice
      • easier for apache handler to use headers than params...
      • chumby doesn't let you modify auth headers
  • ideal http headers, 2nd: post params; 3rd, getParams
    • header... authorization: OpenAuth, version: X.XX, pass default signing algorithm (?)
  • token revokes themselves...
  • single sign off...
  • manage all your services from one extension...
  • closed wiki, logo, webpages...
  • review with commerce net
  • review with ian





  • interface for widgets/apps
  • handling errors

Comments (0)

You don't have permission to comment on this page.