launchpad-dev team mailing list archive

[William Grant <wgrant@xxxxxxxxxx>]

On Fri, 2010-06-25 at 08:42 +0200, Didier Roche wrote:
> Le vendredi 25 juin 2010 à 16:34 +1000, William Grant a écrit :
> > On Fri, 2010-06-25 at 08:28 +0200, Didier Roche wrote:
> > > Le vendredi 25 juin 2010 à 16:16 +1000, William Grant a écrit :
> > > > The code of the basic write implementation is simple. However,
> > > > difficulty arises when we consider that normal API applications probably
> > > > shouldn't be able to touch other authentication tokens. It is intended
> > > > that one should be able to stop a rogue application by simple revoking
> > > > its OAuth token; if applications were permitted to add new SSH and
> > > > OpenPGP keys, they could add backdoors that would not be closed using
> > > > normal means.
> > > > 
> > > 
> > > My point is that people are already able to do to that with
> > > screenscrapping (see GoundControl for instance), I don't really
> > > understand why exposing those to API is more or less a security issue
> > > there when people click on "change everything".
> > > Or do you mean that adding gpg or ssh key writable to API is opening
> > > other backdoor than the site itself doesn't enable?
> > 
> > If I give an application my SSO email address and password, I expect
> > them to be able to do anything at all. But applications aren't meant to
> > request that information -- one reason is that it's a lot harder to
> > revoke access granted that way, and those credentials have access to a
> > lot more than just Launchpad. OAuth is meant to be a solution to this.
> > 
> > I think perhaps an additional access mode which permits alteration of
> > authentication tokens could work. We already need more flexibility in
> > that area.
> > 
> 
> Here is what GC does:
> it opens a browser windows embeeded in webkit widget to get the
> credential and cookie. It think from user point of view, they don't see
> the difference from that that regular launchpad applications that uses
> the API to open the request in a real webbrowser window. So my remark on
> the fact it's not real security.
> 
> Well, I'm still puzzled and don't know what to do for Quickly: again, if
> I can work with you guys to have the "good way", like done with jml on
> gpg/ssh access last cycle, I'm all in favor for that. I just realized
> last cycle than hacking on LP was time consuming and quite hard when you
> don't know the rationale :)

Applications should be able to mutate SSH and OpenPGP keys through the
API, if the user wants them to do so. But it needs to be an explicit
decision on the user's part to grant an application that extra
privilege; it undermines some of the security that OAuth provides, and
is completely undesirable for most applications.

I envisage that Quickly should be able to request a token with access to
other authentication tokens, Launchpad will then confirm that the user
is OK with that, and everyone will live happily ever after (without
screenscraping).