Meeting 4/4/2007

Larry, Blaine, Chris, Tara, Britt, Jon (jm3), Alex, Jesse

• Blaine looked at existing patterns in auth schemes... GAuth's is weird
• want to expose APIs to users... OpenID says yes we know that user, but doesn't say you can act on behalf of that user...
• 3 major implementations... we need our one way of doing it that isn't digest authentication
• app dev registers an application w/ a service; you get your apikey and secret key; get auth header by getting token for user by going to auth page... such and such web app wants to do something w/ your account -- ok i'll allow it -- app gets token and stuff gets hashed together and that becomes secondary password that user can revoke at any time
• app key, secret, url, user token, time stamp and nonce -- everything but secret; on server side, hash that against secret... then authenticate access
• nonce is there to prevent reply attacks
• nonce vs timestamp; w/ nonce you get time synchronization... so you can say timestamp must be within certain timeframe of server...
• standards for nonces? openid nonces are 32-bit...
• goal is to come out w/ consensus in code
• alex: std implementation in many languages is key;
• need a spec that easy to understand; simple, secure, write easy to understand clients in
• jesse: timestamp is helpful for reply, and timestamp + nonce = timestamp; blaine: question is granualarity of timestamp;
• look at kerberos, facebook auth
• fundamental problem: ignore delayed/replay attacks? force people to check client side clock?
• don't need timestamp; do need request body/params to be signed and we need a nonce
• generic API says not a counter
• versioning in auth URL?
• how to you pass parameters
  • standard http headers
    • bbauth and openid uses this
  • flickr uses getParams (easier for developer)
    • problem is that whole world can see what you're doing
  • authHeader... that lets you send auth header in http headers... but with fall-back to post/get (optional) ... treated the same .. http auth header is there to make spec look nice
    • easier for apache handler to use headers than params...
    • chumby doesn't let you modify auth headers
• ideal http headers, 2nd: post params; 3rd, getParams
  • header... authorization: OpenAuth, version: X.XX, pass default signing algorithm (?)
• token revokes themselves...
• single sign off...
• manage all your services from one extension...
• closed wiki, logo, webpages...
• review with commerce net
• review with ian

• http://developer.yahoo.com/auth/authcalls.html
• http://code.google.com/apis/accounts/AuthForInstalledApps.html
• http://developers.facebook.com/documentation.php?doc=auth
• http://www.flickr.com/services/api/flickr.auth.getToken.html

questions

• interface for widgets/apps
• handling errors