-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the Data Deposit API to use API keys #890
Comments
Original Redmine Comment I asked about API keys on the SWORD mailing list in a thread called "[sword-app-tech] using API keys (OAuth?) rather than HTTP Basic Authentication (username/password) in conjunction with a TLS connection". It seems like our approach of passing usernames and passwords (over HTTPS) rather than API keys is how all known SWORDv2 implementation operate. Richard Jones, the SWORD spec lead, said...
in his reply at http://www.mail-archive.com/sword-app-tech@lists.sourceforge.net/msg00340.html Richard goes on to encourage SWORDv2 implementers to attempt trying to implement API keys (OAuth specifically) and to make sure there is nothing in the spec that seems to forbid it. At http://irclog.perlgeek.de/crimsonfu/2013-08-01#i_7398673 "semiosis" suggested looking at the auth in Amazon's APIs:
http://docs.aws.amazon.com/AmazonS3/latest/dev/S3_Authentication2.html and http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html have more detail about this HMAC approach. |
Original Redmine Comment Eleni noticed a possible model for API keys in a SWORD context by way of https://twitter.com/archivematica/status/427873797124145152
Specifically, I'm noticing wording on that page such as 'Enter the dashboard's IP address into the "Remote name" field and the user and API key noted earlier into the "Api username" and "Api key" fields.' Also, I noticed this in their example for a POST: Authorization: Archivematica-API api_key="XXXXXXXXXXXXXXXXXXXX", username="timh" Some food for thought anyway... we want to make sure we build the right thing. |
Implemented and documented in 686d5b7. Passing to QA. |
Created dataset using token |
resolving issue |
Author Name: Philip Durbin (@pdurbin)
Original Redmine Issue: 3208, https://redmine.hmdc.harvard.edu/issues/3208
Original Date: 2013-08-01
v1 of the Data Deposit API requires that passwords be sent by a SWORD client. Use of HTTPS ensures the passwords are encrypted "in flight" between the SWORD client and the server but it means that the SWORD client must have access to the actual password (and presumably store the password in clear text or using reversible encryption so that the actual password can be sent).
Better would be to use API keys, which is what Twitter, Google, Flickr, etc. allow. Commonly, OAuth is used to negotiate API keys: http://en.wikipedia.org/wiki/OAuth
From a SWORDv2 perspective, at http://swordapp.github.io/SWORDv2-Profile/SWORDProfile.html#authenticationmediateddeposit the spec says the following:
Related issue(s): #459
Redmine related issue(s): 3108, 3874
The text was updated successfully, but these errors were encountered: