Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

API authentication should be encrypted #106

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 5 comments
Closed

API authentication should be encrypted #106

openstreetmap-trac opened this issue Jul 23, 2021 · 5 comments

Comments

@openstreetmap-trac
Copy link

Reporter: erik[at]tiq.com
[Submitted to the original trac issue database at 1.38pm, Friday, 16th December 2005]

There's a note on the wiki REST page about using digest authentication. This would mean that the passwords of all the users will be saved cleartext in the database, but all the authentication made by clients would be in "encrypted form". The encryption is simplified as HASH(username, sharedsecret, randomdata).

To make this happen there should be some example code in the wiki.

  • [http://www.ietf.org/rfc/rfc2617.txt RFC specs for digest http authetication]
  • [http://jakarta.apache.org/commons/httpclient/authentication.html#Digest Java: httpclient ]
  • C/C++/perl/python can use libcurl?
@openstreetmap-trac
Copy link
Author

Author: tom[at]tom-carden.co.uk
[Added to the original trac issue at 11.39am, Tuesday, 20th December 2005]

For API authentication, we should look at the work done for other REST standards like Atom, because they were made with one eye on how clients could implement things today.

@openstreetmap-trac
Copy link
Author

Author: erik[at]tiq.com
[Added to the original trac issue at 10.45pm, Wednesday, 28th December 2005]

I apperantly misunderstood what Johnny Doe ment, he wanted us to use a pubkey to anonymize everyone. I thought he ment encrypted logins,

@openstreetmap-trac
Copy link
Author

Author: tom[at]compton.nu
[Added to the original trac issue at 11.38am, Sunday, 19th August 2007]

I think using SSL is a lot simpler - using digest authentication would force everybody to change their passwords apart from anything else as we don't currently have a cleartext version of anybody's passwords.

@openstreetmap-trac
Copy link
Author

Author: TomH
[Added to the original trac issue at 8.53pm, Wednesday, 24th August 2011]

Web site logins are now SSL encrypted and we have OAuth for the API so there is no need to reveal the actual passwords there if you don't want to.

Digest authentication would require storing passwords in the clear which I absolutely don't want to do. OAuth is the preferred authentication method for the API anyway.

I think we can call this fixed.

@openstreetmap-trac
Copy link
Author

Author: tom[at]tom-carden.co.uk
[Added to the original trac issue at 9.11pm, Wednesday, 24th August 2011]

Had a few trace emails recently. Blast from the past. I love seeing these 6 year old tickets getting closed. Thanks to all involved!

And yeah, TomH, OAuth and SSL totally covers it :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant