[cosmo-dev] Basic Auth is sooo 1996
Matthew Eernisse
mde at osafoundation.org
Wed Nov 28 17:06:52 PST 2007
Responses below ...
Travis Vachon wrote:
>> I'm guessing other auth schemes like WSSE would still require a
>> plaintext equivalent of password to be kept somewhere on the client,
>> correct?
>>
>
> No, that's precisely what we're hoping to avoid.
I did read that XML.com article back when I was playing with the Pownce
API -- from what I can see, you still have to keep the password around
somewhere to create the digest for each request, right?
"In turn, Bob's Atom-enabled client software generates a new nonce and
creation timestamp with each request. This will protect against replay
attacks."
PasswordDigest = Base64 \ (SHA1 (Nonce + CreationTimestamp + Password))
Is there something I'm missing here?
Also, it seems like we would still have the problem of the ugly auth box
popping up with failed requests:
"If Bob got his password wrong, the server simply responds with an HTTP
401 Unauthorized with the WWW-Authenticate: header, same as before; or,
optionally, with some explanatory text in the body of the message to
tell the client what's going on."
Google's AuthSub seems to be token-based -- session tokens that would be
tied to a single server (or token store). Re. the single-user ones -- "a
single-use token may be sufficient, for example, if the interaction is a
one-time or rare event."
That doesn't seem to be a big help to us either.
>> I realize this is kind of tangential to the discussion, but it occurs
>> to me that we've been ignoring a pretty obvious and fairly secure way
>> to store those creds client-side, since JS gives us real private vars
>> with inner scope:
>
> Our problem is preserving credentials between page loads (ie, remember
> credentials on login page and have them available in the
> pim/admin/account browser ui), so this doesn't do it.
Oop, I'm a doof. Totally forgot that part of it. Yeah, even sticking it
into a temp cookie is pretty horrible.
Maybe we could forget the redirect, and just load the entire PIM UI
in-place on the same page.
Just kidding. Mostly.
:)
Matthew
More information about the cosmo-dev
mailing list