Sorry to keep talking to myself here, but I find what other sites are doing really interesting, and pertinent to GAE because there doesn't seem to be an agreed upon solution.
Facebook uses a form for their logins that posts to an HTTPS url: https://login.facebook.com/login.php? So does Google for that matter. Twitter also allows for http://twitter.com and https://twitter.com, although the default is plaint http, probably because https is slower and more computationally expensive. So it looks like https is the most secure way, but I noticed that Google App Engine doesn't allow SSL unless you are using a *.appspot.com domain. http://code.google.com/appengine/docs/python/config/appconfig.html#Secure_URLs So if I have have my blah.mydomain.com pointing via DNS CNAME, to my blah.appspot.com, I can't use https://blah.mydomain.com. All this just to not send the password to the server plain text. :| Cheers, Shane On Jun 10, 4:15 pm, Shane <[email protected]> wrote: > I've actually just noticed that Twitter itself uses Basic Auth: > > http://apiwiki.twitter.com/Authentication > > It says OAuth is in development, but that Basic Auth won't be going > anywhere for the foreseeable future. > > The trouble is, Basic Auth is insecure: > > http://en.wikipedia.org/wiki/Basic_access_authentication > > "Although the scheme is easily implemented, it relies on the > assumption that the connection between the client and server computers > is secure and can be trusted. Specifically, the credentials are passed > as plaintext and could be intercepted easily. The scheme also provides > no protection for the information passed back from the server." > > I am going to look around at other public web API's, but if a site as > large as Twitter is content to use this system, should I be all that > worried? > > I would really like to know what experienced web programmers do here, > either in GAE+GWT, or just generally. > > Cheers, > Shane > > On Jun 10, 1:02 am, Shane <[email protected]> wrote: > > > > > I've seen some pretty heated debates around the discussion boards > > about this, but I haven't seen a solution that people decide on. > > > Simply put, any application that I want to write will likely perform > > some sort of mashup between other services, like Twitter. > > > For me to do anything interesting, I need the user to enter their > > Twitter username and password into a GWT client-side control on my > > site, which I then send back to my app on running on GAE. I'll then > > use the password to log into Twitter with their credentials and do > > whatever if is I want to do, all the while not saving the users > > password in plain text anywhere. I have no interest in holding onto > > anyone's credentials. > > > So what is the best way for me to do this? I am hearing people say > > that anything short of HTTPS is a waste of time. > > > I guess this also becomes the larger issue of authentication > > generally, and I'm surprised there are still such heated discussions > > on the subject. I thought it'd be a done deal by now. > > > So, if anyone could point my in the right direction, in the context of > > GWT+GAE, I'd much appreciate it. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
