17 May
2008
17 May
'08
4:55 p.m.
Hello devs,
I'm trying to figure out a "clean" way of storing third-party applications
credentials in a XWiki user profile.
My use case is the following (and I believe such use cases will continue
to occur as we offer more web-services integration). We want XWiki
Workspaces users to be able to update their twitter status too when
posting an update on a workspace "workstream", just checking a box.
First time they would be asked for their twitter credentials, but for the
following ones, it be nice not to ask.
A possible way I want to propose is to encrypt the username/password
couple (for example, represented under their base-64 form since twitter
API requires basic authentication) through a cipher, using a secret key
based on a combination of the user XWiki password hash and a secret
parameter located in xwiki.cfg. This way, programming rights or physical
access to xwiki.cfg would be required to decrypt the login/passwd.
If the user changes his XWiki password, thus the hash, or if the secret
parameter value is changed, the user would be asked to enter is
credentials again (In fact, as soon as the service authentication fails).
WDYT ? Are there cleaner/more secured ways of doing this ?
Thanks for your inputs,
Jerome.
17 May
17 May
9:25 p.m.
Jerome
This is already existing.
Using the password field in encrypted mode (versus the default hash
mode) should allow you to store credentials in a secure way.
They are made only available using programming rights.
Ludovic
Jerome Velociter wrote:
Hello devs,
I'm trying to figure out a "clean" way of storing third-party applications
credentials in a XWiki user profile.
My use case is the following (and I believe such use cases will continue
to occur as we offer more web-services integration). We want XWiki
Workspaces users to be able to update their twitter status too when
posting an update on a workspace "workstream", just checking a box.
First time they would be asked for their twitter credentials, but for the
following ones, it be nice not to ask.
A possible way I want to propose is to encrypt the username/password
couple (for example, represented under their base-64 form since twitter
API requires basic authentication) through a cipher, using a secret key
based on a combination of the user XWiki password hash and a secret
parameter located in xwiki.cfg. This way, programming rights or physical
access to xwiki.cfg would be required to decrypt the login/passwd.
If the user changes his XWiki password, thus the hash, or if the secret
parameter value is changed, the user would be asked to enter is
credentials again (In fact, as soon as the service authentication fails).
WDYT ? Are there cleaner/more secured ways of doing this ?
Thanks for your inputs,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Ludovic Dubost
Blog: http://blog.ludovic.org/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
18 May
18 May
12:31 p.m.
Jerome
This is already existing.
Thanks ! I should have opened my eyes a little more...
Jerome.
Using the password field in encrypted mode (versus the default hash
mode) should allow you to store credentials in a secure way.
They are made only available using programming rights.
Ludovic
Jerome Velociter wrote:
Hello devs,
I'm trying to figure out a "clean" way of storing third-party
applications
credentials in a XWiki user profile.
My use case is the following (and I believe such use cases will continue
to occur as we offer more web-services integration). We want XWiki
Workspaces users to be able to update their twitter status too when
posting an update on a workspace "workstream", just checking a box.
First time they would be asked for their twitter credentials, but for
the
following ones, it be nice not to ask.
A possible way I want to propose is to encrypt the username/password
couple (for example, represented under their base-64 form since twitter
API requires basic authentication) through a cipher, using a secret key
based on a combination of the user XWiki password hash and a secret
parameter located in xwiki.cfg. This way, programming rights or physical
access to xwiki.cfg would be required to decrypt the login/passwd.
If the user changes his XWiki password, thus the hash, or if the secret
parameter value is changed, the user would be asked to enter is
credentials again (In fact, as soon as the service authentication
fails).
WDYT ? Are there cleaner/more secured ways of doing this ?
Thanks for your inputs,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Ludovic Dubost
Blog: http://blog.ludovic.org/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
6018
days inactive
6019
days old
2 comments
2 participants
participants (2)
-
Jerome Velociter -
Ludovic Dubost