On Mon, May 19, 2008 at 12:08 PM, Anthony Lai <[EMAIL PROTECTED]> wrote:
> Hi, > > Got a little confusion regarding authentication, mainly dealing with how a > backend server can prevent spoofing attacks from client apps created by > "evil" developers. > > > Assuming signed fetched request is used, > 1. Does shindig send out the viewerid to the backend server and let it > know which user is trying to access the data? Yes, the OpenSocial spec for signed requests requires this. You can't claim to support signed fetch if you're not doing this. > If yes, how can the server retrieve this data? Which server? Shindig gets it from the security token, which is essentially a way of passing an encrypted cookie that contains the viewer / owner / app ids. Out of the box, shinding has two security token implementations: - Plain text (used for testing) - Encrypted (used for production) > 2. Would it be possible for the backend server to only allowing access of > its data from only "authorized" client apps? Example would be that it only > wants to allow data access from the specific client apps that they built, > but no others. Is there a way for the backend server to authenticate which > particular app is currently trying to get access? After verifying the signature, you can just compare the appid. The signature itself can't be spoofed because the signing spec uses asymmetric crypotgraphy (public / private key pairs). If the signature is valid, you can trust the appid value, and simply compare the appid to your known list of "trusted" appids. Assuming OAuth is used, > 3. How can the user be sure that the sign-on page is not spoofed by the > client and tricked them to enter their username/password then steal them > from him/her? Containers have to white list all apps that are allowed to use OAuth; any gadget that does something "bad", like this, can be blocked immediately by the container. > > > Thanks. Any pointers or documentation would be greatly appreciated. > > Sincerely, > Anthony >
