Hi there, >From this page:
http://code.google.com/apis/apps/profiles/developers_guide_protocol.html <http://code.google.com/apis/apps/profiles/developers_guide_protocol.html>It looks like it's possible to use AuthSub or OAuth, which would preclude you from having to store a username and password. Granted, with an OAuth token, it'd be possible to make API calls if *that* data is compromised, but it prevents you from having to expose password information. There are two main security advantages of using OAuth: - Access can be revoked without having to change a password, though I am not sure off the team of my head where this is done. You'll want to ask on the GData groups. - If the token is compromised, the password is not compromised. That is - a user will be able to use the administrative token to continue to make profile API calls until it is revoked, but they will not be able to log into your account dashboard in other parts of Google Apps that use the same username and password. On Wed, Jan 27, 2010 at 11:25 AM, NMAGOCIO <[email protected]> wrote: > I would like to develop an App that lets my Google Apps domain users > update their phone numbers for their domain Profiles. > My problem is that only a domain admin can access the Profiles API. > The flow would go something like: user signs in by GAE Apps domain > user service. On load RPC transfers user name to servlet which uses > Profiles API and hard coded domain admin account to pull user phone > numbers. > > It does not do much so there is not alot of risk except the domain > admin account credentials stored on the server side. That should not > be accessible but I am concerned. Any ideas on a better way to do this > or maybe there is no reason for concern? > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine-java%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- Ikai Lan Developer Programs Engineer, Google App Engine http://googleappengine.blogspot.com | http://twitter.com/app_engine -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
