Loading ...
Sorry, an error occurred while loading the content.

Which data is unique and suitable for user identity ?

Expand Messages
  • smallufo
    I want to let users to use BBAuth to login to my webapp. But I wonder which data field (in WSDL) is suitable for user identity ? Which is unique and
    Message 1 of 4 , Mar 1, 2008
    View Source
    • 0 Attachment
      I want to let users to use BBAuth to login to my webapp.
      But I wonder which data field (in WSDL) is suitable for user identity ?
      Which is unique and un-modifiable ?

      UserData.UserSendPref.DefaultID ?
      UserData.UserSendPref.LoggedInAlias ?
      UserData.UserSendPref.DefaultFromName ?
      UserData.UserSendPref.DefaultFromAddress ?
    • Ryan Kennedy
      ... If all you want is to log people in, don t use the Mail API. When you sign up for a BBAuth key check the option above Mail that says Single Sign On, No
      Message 2 of 4 , Mar 2, 2008
      View Source
      • 0 Attachment
        On Mar 1, 2008, at 1:40 PM, smallufo wrote:
        > I want to let users to use BBAuth to login to my webapp.
        > But I wonder which data field (in WSDL) is suitable for user
        > identity ?
        > Which is unique and un-modifiable ?
        >


        If all you want is to log people in, don't use the Mail API. When you
        sign up for a BBAuth key check the option above Mail that says "Single
        Sign On, No user data can be accessed". Once you're set up there, make
        a small modification to the login URL that you generate by adding the
        "send_userhash" query parameter. This will cause BBAuth to include a
        unique, immutable string in the response along with the token. That
        will allow you to identify the same user when they return.

        Check out send_userhash on this page:

        http://developer.yahoo.com/auth/user.html

        --
        Ryan Kennedy
        Technical Yahoo!
        rckenned@...
      • smallufo
        Thank you. But I have another question: If I only check Single Sign On, No user data can be accessed I don t have to get Cookie and WSSID anymore , right ? I
        Message 3 of 4 , Mar 2, 2008
        View Source
        • 0 Attachment
          Thank you.
          But I have another question:
          If I only check "Single Sign On, No user data can be accessed"
          I don't have to get Cookie and WSSID anymore , right ?
          I could only fully trust the userhash returned by Yahoo , right ?

          But , it seems it cannot prevent 'man-in-the-middle'
          What if someone intercept the returned URL , he can resend the URL ,
          and sign-in with the same returned URL.
          I tried , it worked . The returned URL can be repeated ...

          How do I know the userhash is valid ? any way to validate it ?


          > If all you want is to log people in, don't use the Mail API. When you
          > sign up for a BBAuth key check the option above Mail that says "Single
          > Sign On, No user data can be accessed". Once you're set up there, make
          > a small modification to the login URL that you generate by adding the
          > "send_userhash" query parameter. This will cause BBAuth to include a
          > unique, immutable string in the response along with the token. That
          > will allow you to identify the same user when they return.
          >
          > Check out send_userhash on this page:
          >
          > http://developer.yahoo.com/auth/user.html
          >
          > --
          > Ryan Kennedy
          > Technical Yahoo!
          > rckenned@...
          >
        • Ryan Kennedy
          ... Correct...no more cookie or wssid to deal with. ... http://developer.yahoo.com/auth/user.html#token sig: An md5 hash of the relative path to your endpoint
          Message 4 of 4 , Mar 2, 2008
          View Source
          • 0 Attachment
            On Mar 2, 2008, at 2:20 PM, smallufo wrote:
            > But I have another question:
            > If I only check "Single Sign On, No user data can be accessed"
            > I don't have to get Cookie and WSSID anymore , right ?
            > I could only fully trust the userhash returned by Yahoo , right ?
            >

            Correct...no more cookie or wssid to deal with.

            > But , it seems it cannot prevent 'man-in-the-middle'
            > What if someone intercept the returned URL , he can resend the URL ,
            > and sign-in with the same returned URL.
            > I tried , it worked . The returned URL can be repeated ...
            >
            > How do I know the userhash is valid ? any way to validate it ?
            >


            http://developer.yahoo.com/auth/user.html#token

            "sig: An md5 hash of the relative path to your endpoint URL, all
            associated parameters, (appid, appdata, ts, and token), and your
            shared secret. You should use the signature to verify that the request
            came from a legitimate Yahoo! login server. "

            Make sure you validate the signature present in the response. That
            will protect you from man in the middle attacks as long as you keep
            your shared secret safe.

            --
            Ryan Kennedy
            Technical Yahoo!
            rckenned@...
          Your message has been successfully submitted and would be delivered to recipients shortly.