[Kde-imaging] [Bug 276609] KIPI facebook application is deleted. can't upload and previously uploaded pictures disappear.

Tue Jun 28 15:03:32 CEST 2011

https://bugs.kde.org/show_bug.cgi?id=276609

--- Comment #16 from Dirk Tilger <dirk kde miriup de>  2011-06-28 13:03:31 ---
On 06/28/11 12:15, Pau Garcia i Quiles wrote:
> I thought about this problem (distributing the private API key) in the source a
> few months ago. 
>
> It is a problem with Facebook and with other services, and will be a problem
> with newer services. What we are doing is wrong according to their policies.
As I have explained now in a couple of places:

The kipi-plugins 2.0.0 have got its Facebook authentication upgraded to
OAuth2. From this version on forward the only place where the secret is
used at all is to convert the old authentication keys to OAuth2. That
part could easily be removed, as it actually provides only minimal
additional convenience.

That said, consider that with OAuth2 authentication we don't need the
secret anymore at all. And so, nobody does. Knowing our application ID,
anyone could impersonate KIPI and ask the user for whatever permissions
they like. As a matter of fact this is what I did when I upgraded the
KIPI Facebook plug-in to OAuth2 authentication.

The only technical means FB gives us to prevent that is to limit all
requests to one IP (or a small subnet), but that as a desktop
application this is not an option we can use.
> The only solution that would abide by the policy of "do not distribute the
> private key in the source" I could come with is to have a KDE-wide server (for
> instance, appkeys.kde.org ) and have our applications send a request to that
> server that would return the private key.
>
> Granted, it is actually as insecure as distributing the key with the source,
> but at least would not violate Facebook's, Twitter's, etc policy so obviously.
I wasn't aware of such a policy, could you please paste a link to it
into this bug?

If FB chooses to introduce keys in OAuth2 in client-mode, what we could
do is: having kipi-plugins.org or digikam.org be a wrapper for the
authentication. Instead of having the client authenticating directly,
they'll send a request to kipi-plugins.org and we do the server
handshake. Once the authentication is complete, we hand back the
authentication token to the digikam app and from then on, the desktop
app can do whatever it needs to.

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.