I don't like the idea of creating new users just for any application. I favour the model that eBay uses, where eBay creates for the user a special token, tied to the username and the application it is to be used with. In the case of PM, we could create such tokens based on the user name, the proxy name and the rights the user wants to grant the proxy.

That will of course need another table to manage the tokens, and checks in all actions that are available to the proxy, but I'd prefer this, as in a case of emergency or a compromised proxy, it's very easy to wipe out all access for that proxy.

As I see it, the workflow would be like this:

  1. The proxy tells the user its name and what permission it would like, or redirect sthe user to a page on PerlMonks which is set up with the proxy name and the wanted permissions.
  2. The user accepts or modifies these permissions, and is sent to a second page on which PerlMonks displays the token, which the user then pastes into the proxy administration page.
  3. Alternatively, the proxy could supply a redirect URL to which the user is redirected after setting up the token, just like eBay does. This would allow closer integration of the authentication into the proxy application, but also open up a vulnerability potential for cross-site scripting attacks.
  4. The proxy acts on behalf of the users using their tokens
  5. If a user does not submit the request from step 2, no token is generated
  6. Token revocation is easily maintained by the user in a separate step. Of course, token maintenance cannot be farmed out to proxies.

In reply to Re: proxy resource access. by Corion
in thread proxy resource access. by demerphq

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.