I have a main website on AppEngine, it is on a subdomain such as main.example.com . This main application is a content portal for our customers. It provides an Ajax application built on YUI, customers can upload data on it. Users certify the use of a federal login.
Ajax application allows users to process previously uploaded data. To do this, it should use a webservice running on other subdomains such as service.example.com . Webservice runs not on apnegen, but on our services - this CPU is heavy and is built on other sets of technologies. It will need to download data on the main application - but everything on the main service like - downloading service - is behind the certification wall.
I always permit the program to serve it completely with the desire but I think it can turn into a major security problem.
How can I use OpenID authentication "token" (to reveal the service) as a standard user in the form of a certified user, so that he can download that data? Or if I can do this, what would be the best way to do what I intend to do?
You can not actually reuse authentication tokens What you should use like OAuth There is something, although since you control both of them, you can make it a bit simpler:
- Generate a shared secret, both main.example.com and service.example .com < / Li>
- When a user accesses service.example.com for the first time (no authentication cookies), then redirect them to main .example.com / auth? Continue = original_url (Where original_url is the URL that they tried to reach)
- When you receive a request for main.example.com/auth, first log the user first (If they are not already). After that, take your User ID or other relevant credentials, and generate one of them using shared secrets you have shared in Step 1. Redirect the user to service.example.com/finish_auth, pass the computed HMAC, authentication details ID as the user, and any parameters you have passed, such as the issued URL like
- When you receive a request for service.example.com/finish_auth, calculate HMAC as above, and check that it matches the passage in one. If this happens, you know that the request is valid, set an authentication cookie to Service.example.com, which includes any relevant details, and redirects the user to their original URL.
It looks complex, but it is quite simple to implement. It is a standard way of 'pass' credentials between mutually-trusted systems, and it is not the opposite that many SSO systems use.
Comments
Post a Comment