[development] Token-based web service authentication to core
Dan Karran
dan at karran.net
Tue Jan 24 18:14:09 UTC 2006
The proposed token authentication sounds like it would also be useful in
allowing non-public feeds to be pulled from Drupal sites in order for them
to be aggregated.
Dan
On 24/01/06, Boris Mann <boris at bryght.com> wrote:
>
> All:
>
> See http://drupal.org/node/46145
>
> I'm going to make sure that Ben is signed up to the dev list. He's on
> the board of the PHP User's Group here in Vancouver and is a pretty
> kick ass programmer. For now, making sure this gets the views it
> deserves.
>
> This opens the door to the type of interactions that, e.g. Flickr,
> does remotely, and lots of rich inter-site functionality.
>
> > I'm building a new website in Drupal and there are some
> > administrative web services that I would like to make available to
> > middleware together a legacy system. I did some research into
> > Drupal's XMLRPC system and figured that token based authentication
> > in the core would be useful.
> >
> > This is what I have sketched out on a napkin:
> >
> > Scenario:
> > Client wants to create some new data in the system. This is the
> > process:
> >
> > 1. Client requests a service token, sends username/password of a
> > Drupal user
> > 2. Drupal loads the $user matching the crudentials
> > - creates a random alphanumeric token to send back to the user
> > - serializes, and caches the $user object, key = md5(token + ip
> > address of client)
> > - sends the token back to the client
> > 3. Client makes an RPC call to say: module.createListing($token,
> > $arg1,$arg2,...)
> > 4. In createListing(...)
> > -- Checks the token, if valid does it's thing, otherwise, returns
> > an error message.
> >
> > I think it would take a fairly small amount of code to accomplish
> > the above. I haven't given a lot of thought about Drupal's external
> > authentication system though. I'm not too familiar with it, but
> > maybe somebody can fill me it. For this system I may write my own
> > version of user_authenticate() without the variable_get
> > ('user_register',1) in it so some malicous person doesn't create an
> > unlimited number of random users in the system.
> >
> > Any thoughts or previous work on this?
> > I would like it to be implemented in core, but it would probably be
> > just as easy to implement as a module. Since modules will depend on
> > the functionality, I want to avoid the logic of checking if the
> > module is enabled or not.
> >
> > I took a look at how the blogapi module accomplishes
> > authentication. It has $username,$password for each request, and
> > does a user_load(...), which is alright, but I would like have a
> > shared authentication for web services rather than rolling a custom
> > one for every module that needs it.
> >
> > Privileges and access can be combined into a xmlrpc_check_token
> > ($token,$privilege) function, e.g:
> >
> > xmlrpc_check_token($token,'access content')
> >
> > It wouldn't take me long to write the code for this. I wanted some
> > feedback from the community first before I dive into design/coding.
>
>
>
> Boris Mann
> Vancouver 778-896-2747 San Francisco 415-367-3595
> SKYPE borismann
> http://www.bryght.com
>
>
--
Dan Karran
dan at karran.net
www.dankarran.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20060124/65d35c99/attachment-0001.htm
More information about the development
mailing list