Yea, that would work, some caveats apply though. First, it sounds like you may not need all of OAuth, but if you want to take advantage of the existing libraries and whatnot the extra OAuth features probably won't cause any problems.
As you said, you'll want to generate signed OAuth URIs for the images on your server and insert them in your HTML. On the producer side (your image server) you'll definitely want to check nonces -- if you don't then every URI you generate will continue working forever, and could be intercepted by someone or forwarded to a third party. To limit the number of nonces you have to "remember" you might decide you'll only accept URIs with a timestamp that's less than 24 hours old (for example), in which case you'll only need to keep used nonces around for 24 hours. Even if you check nonces someone could still request the page, parse out the URIs, and send them to a third party to use. So it's not perfect, but if you're currently using cookie-based auth it's probably about as secure as your existing solution. Mike On Tue, Apr 14, 2009 at 10:32 PM, pkeane <[email protected]> wrote: > > I have been learning about OAuth a bit (I managed to access a GMail > inbox from GAE: > http://simplenotepad.appspot.com/text/goggle-app-engine-oauth-access-to-gmail > ), > but I am still unclear on one point. Assuming I (i.e., the web app) > can get the access token, is it possible to construct a URL that can > be placed in an i...@src in the rendered html to allow the browser to > access a "restricted" image? > > The use case is a digital image library (in heavy use at UT Austin) in > which some images are only available under "fair use." The "image > server" is a separate application from the rest of the app: we > currently check for a UT-specific secure cookie to serve restricted > images (lack of the cookie simply causes us to send a thumbnail > version). I'd much prefer a URL-based access scheme with a two-legged > OAuth approach. This piece need not be uber-secure -- we just don't > want to put all of the assets on the open web. > > --peter keane > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
