I read the NingApi pdf section 2.2 on authentication, I am using the php classes from github. However I seem to authenticate that I am I (a developer with access rights to a ning network) but i can't authenticate that the viewer is the user he claims to be

Similar to this users post I want to get the current users email when he's viewing an external PHP file. With the api I seem to be able to get any users email address by passing an id. Only problem is I am not able to actually know weather the user is who he claims to be.


The solution on the post uses  JavaScript to get an ID and passes it to a php script as a parameters. very insecure, and this could mean anybody using firebug can pretend to be a different user.

I think the way this would be working is that i give a javascript run by that user my consumer key. They would then send consumerKey  to the network I have access to. (assuming consumer keys are not secret, right?)

Then I should be retrieving a userToken & id if the user is logged in to that network or false if not. The user token is relative to my key and I can use the API to verify with my key, secret, userid & token, that the user is who he claims to be. the token expires when a user changes his password and after a given period of time.

This may still not be 100% secure, but imho more secure then just claiming to be userid 3543

TLDR: Basically I can't find the doc on how to verify a user is who he claims to be on  a ning network.

Views: 331

Reply to This

Replies to This Discussion

Here's my suggestion for the flow

user makes ajax request (jsonp) to example.ning.com/whoami?consumerKey=MYAPPSCONSUMERKEY

the network checks if the user is signed in, key is valid and creates a temporary token based on the consumer key, they know my consumer secret, user data and network specific parameters/algorithms
ning returns success status (user is logged in, consumerKey is valid on this network) and token to the user (the javascript)

the user(javascript) sends his token to my server

my server sends  the consumerKey, consumerSecret & token to the ning network.

the ning network responds with the success (user requested a token & it matches based on key & secret) and the user id/data

user token expires within a short time frame or maybe after 1 use.

There are two types of authentication: server-side and client-side.

  1. Server-side - Verification code is run on your server
  2. Client-side - Verification is run in the users browser (ie. JavaScript)

It seems that you are interested in a client-side solution using JavaScript. The Ning API as it is right now does have a safe means of doing client side authentication using pure JavaScript. Client-side authentication is more difficult because you need to worry about the keeping the OAuth consumer secret a secret.

The team has discussed implementing a client-side authentication scheme that non-Ning websites could embed that gives members a single-sign-on experience. As you can imagine, this is a difficult problem and will take some time to design and implement.

What I recommend you do is use server-side authentication. You will need to create an HTML form that requests the member's email address and password. Upon submission of the form your server will verify the credentials using the Ning API's /Token endpoint. If you receive a successful response from the /Token endpoint you can believe who the member is and setup a session (most likely using cookies). For the life of the session you can then trust that the user is who they say they are (assuming their cookies aren't stolen).

We are planning to implement 3-legged OAuth in the future to make server-side authentication more seamless for members. More seamless because members will not need to enter their password to authorize your web application if they are already signed into your Ning site.

Thank you Devin for your reply,

I think I understand now where ning is at and will need to work with what is there. 

Reply to Discussion

RSS

Blog Posts

Getting Started

Posted by Kyle Ford on October 13, 2010 at 8:00am 3 Comments

A Note on API Pricing

Posted by Phil McCluskey on October 1, 2010 at 8:55am 0 Comments

Welcome to Build!

Posted by Kyle Ford on September 30, 2010 at 8:30pm 1 Comment

Ning Status

© 2024   Created by Build Team.   Powered by

Badges  |  Report an Issue  |  Terms of Service