API authentication (was iChain integration)
openID is not enough, we need a more general, browser-independent and iChain-independent way of authentication for API calls (I'm reusing the old iChain issue, since it was being used in fact to log the activity related with this subject).
#6 Updated by ancorgs almost 9 years ago
I propose to use openID for user authentication through the web interface and an API Key with HMAC headers for API authorization. I spent the WHOLE MORNING writing a blog post draft explaining the 'what' and the 'why' http://etherpad.cloud.suse.de/p/fZz2qcvyvt
#8 Updated by ancorgs almost 9 years ago
- % Done changed from 0 to 50
New branch 'auth' created in the repository with a working (but WIP) user-based authentication and authorization system.
- Tests are not adapted yet
- script/client contains now an example implementation of HMAC authentication that needs to be extracted and generalized
- A user with is_operator = true is needed in the web interface
- An API key associated to such a user is needed if no browser (no browser==no openID).
- TODO: CSRF should probably be removed from clients
If somebody with more Perl knowledge pulls and fix the clients (to read the key and secret from a config file and that kind of things), it would be highly appreciated.