[openspending-dev] api key

Stefan Wehrmeyer stefan.wehrmeyer at okfn.org
Mon Aug 19 08:53:23 UTC 2013 

Hi Alberto,

you are right with your security concerncs. Since most developers only need read access (which doesn't need the key), this wasn't considered before.

We should strongly consider putting up SSL for OpenSpending (shouldn't be too hard, won't touch code base).
The possibility to regenerate an API key might also make sense.

I would vote against a public/private key system as it will make OpenSpending more complex than necessary.

Cheers
Stefan

On 19.08.2013, at 09:19 , Alberto Rodriguez Peon <alberto.rodriguez.peon at cern.ch> wrote:

> Hi Tryggvi,
> 
> Sorry, my question was a bit unclear. 
> 
> I assumed that using the API key to authenticate the user is the right way. The problem is that exposing the API key as a request parameter can be very dangerous (it can be intercepted).
> 
> Maybe an option to avoid this is having two keys, a public key that can be exposed and a private key that is used only for signing each request. For example: http://developers.issuu.com/api/signingrequests.html 
> 
> How Openspending is using this key in other parts of the API? 
> 
> Cheers,
> Alberto
> From: Tryggvi Björgvinsson [tryggvi.bjorgvinsson at okfn.org]
> Sent: 17 August 2013 19:03
> To: Alberto Rodriguez Peon
> Cc: openspending-dev at lists.okfn.org
> Subject: Re: [openspending-dev] solr problem during installation and more
> 
> On mán 12.ágú 2013 11:26, Alberto Rodriguez Peon wrote:
>> However, the creator of the dataset has to be declared somewhere. How it will be the correct way to authenticate the REST request for the user who is creating the dataset? (signing the request with the API key, maybe?)
> 
> Hi Alberto,
> 
> Sorry for the late reply. The correct way to authenticate the request would be via the API key yes. Each account is connected to a single API key so you can use that to declare the creator of the dataset.
> 
> -- 
> Tryggvi Björgvinsson
> Technical Lead, OpenSpending
> The Open Knowledge Foundation
> Empowering through Open Knowledge
> http://okfn.org/ | @okfn | OKF on Facebook | Blog | Newsletter
> _______________________________________________
> openspending-dev mailing list
> openspending-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/openspending-dev
> Unsubscribe: http://lists.okfn.org/mailman/options/openspending-dev

-- 
Stefan Wehrmeyer
Projektleiter FragDenStaat.de
stefan.wehrmeyer at okfn.org
+49 151 15550559
Open Knowledge Foundation Deutschland e.V.
Gneisenaustr. 52 
10961 Berlin
http://www.okfn.de

Spenden Sie für FragDenStaat.de:
https://fragdenstaat.de/hilfe/spenden/

More information about the openspending-dev mailing list