Re: [Flickr APIs] new authentication api

Jacob Jay <jacob-w1M1GQjzACPYtjvyW6yDsg@xxxxxxxxxxxxxxxx> wrote:
: This is a major improvement, URL redirection would be very useful and
: limiting the need to frequently pass personal data is important. My only
: concern with URL redirection and the replacement of login data with the
auth
: token for edit actions - are security considerations. Conceivably it would
: allow an api_key to be easily 'hijacked' and used by someone who doesn't
: have one to compromise personal details - whilst masquerading as the
: original application. This could be limited in closed source applications
by
: demanding that an application specific 'secret' token is returned with the
: second confirmation call for verification (but I get the impression this
: second call has been done away with?)...

the second call has been done away with for now. the
solution of a secret key-part isn't usable for open
source apps.

at the moment, flickr prompts the user the first time
they authenticate against an application key. maybe if
the user was prompted against a key/return_url combo
then it would work.

for example, a user uses my legitimate app and is asked
if they want to let flickr authenticate then. they choose
yes and are logged into the app.

they get tricked into using a second app which stole the
key from app1. because the return_url will be different,
flickr could prompt the user again to ask if they want
to authenticate.

the url we'd store would be the return url with the query
string chopped off.

a call from:
  www.a.com/blog_login.cgi?post_id=11
would have the same url as:
  www.a.com/blog_login.cgi?post_id=12

if you used an open source weblogging app as in this example,
flickr would prompt the user for each different weblog they
wanted to authenticate against. this seems correct behavoir,
since they are in a sense 'different applications'.


--cal