?

Log in

No account? Create an account
New Authentication Methods - LiveJournal Client Discussions [entries|archive|friends|userinfo]
LiveJournal Client Discussions

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

New Authentication Methods [Apr. 14th, 2004|08:39 am]
LiveJournal Client Discussions

lj_clients

[darklyng]
Apparently clear authentication (password and hpassword) is deprecated - is there any documentation on authentication using cookies or challenge/response?
linkReply

Comments:
[User Picture]From: otheronetruegod
2004-04-15 11:55 am (UTC)
This is a good start:

http://www.livejournal.com/doc/server/ljp.csp.auth.challresp.html

There is more in the protocol docs as well.
(Reply) (Thread)
[User Picture]From: vanbeast
2004-04-15 12:26 pm (UTC)
This link 404s...
(Reply) (Parent) (Thread)
[User Picture]From: otheronetruegod
2004-04-15 12:29 pm (UTC)
Didn't 404 for me, just now.
(Reply) (Parent) (Thread)
[User Picture]From: vanbeast
2004-04-15 12:35 pm (UTC)
Someone must be updating the docs. It was a 404 for me across browsers and on different machines. Oh well :)
(Reply) (Parent) (Thread)
[User Picture]From: vanbeast
2004-04-15 11:58 am (UTC)
I don't think they're deprecated... there are just newer, more secure options. There's documentation somewhere, but damned if I can remember where.
(Reply) (Thread)
[User Picture]From: otheronetruegod
2004-04-15 12:19 pm (UTC)
According to the documentation, they are "[scalar](required) DEPRECATED".
(Reply) (Parent) (Thread)
[User Picture]From: vanbeast
2004-04-15 12:25 pm (UTC)
Where are you seeing this? In the CSP documentation, for the 'login' methods of both the Flat and XML-RPC interfaces, it doesn't say that they're deprecated.

http://www.livejournal.com/doc/server/ljp.csp.flat.login.html
http://www.livejournal.com/doc/server/ljp.csp.xml-rpc.login.html
(Reply) (Parent) (Thread)
[User Picture]From: otheronetruegod
2004-04-15 12:31 pm (UTC)
http://www.livejournal.com/doc/server/ljp.csp.xml-rpc.login.html which is the link in the original posting.

Direct quotes:
- password(optional):

[scalar](required) DEPRECATED. Password of user logging in in plaintext. If using the "clear" authentication method, either this or "hpassword" must be present.

- hpassword(optional):

[scalar](required) DEPRECATED. MD5 digest of user's password. Not much more secure than password, but at least it's not in plain text.

You may want to clear your cache.
(Reply) (Parent) (Thread)
[User Picture]From: vanbeast
2004-04-15 12:35 pm (UTC)
How very strange. I just reinstalled, that shouldn't have been in my cache. But, it appears you are correct :)
(Reply) (Parent) (Thread)
[User Picture]From: wooble
2004-04-15 01:07 pm (UTC)
Even stranger, I reloaded the page after you said you saw DEPRECATED there, and it still wasn't there. I waited a couple of minutes, reloaded again, and it was. And I can guarantee it wasn't cached on this machine before this whole thread was started, because I've never looked at the XML-RPC docs on my work machine (and only once at home). Sounds to me like whatever machines are serving the docs aren't synced very well today.
(Reply) (Parent) (Thread)
From: sej7278
2004-04-16 01:47 pm (UTC)
In some parts of the docs it says they're deprecated (think I saw it in the flat getdaycounts mode doc?)

I think it's the docs getting ahead of the rest of the project as the challenge-response docs are 404'd.

I'm going to continue to use hpassword for the moment, until the docs are stabilized - or hpassword functionality is removed, which I don't see happening as they haven't deprecated the plain text passwords yet.
(Reply) (Thread)
[User Picture]From: whomiga
2004-05-03 08:02 pm (UTC)

Proper calling of challenge authorization, and When is it needed, or even available?

Some of the Documentation says that clear authorization is depricated and that other auth_method values are usable, and some have no mention of anything but a default auth_method of clear. So, what is the story? Are some of the commands able to use challenge, and some aren't? And what is the routine to use challenge authorization? Do you call GetChallenge before every command and then send that data with the command?
(Reply) (Thread)
[User Picture]From: darklyng
2004-05-06 01:21 pm (UTC)

Re: Proper calling of challenge authorization, and When is it needed, or even available?

I haven't actually done this yet, but if you're going to do it, there's no point doing it for only half your commands! The sensible thing to do is just to store the challenge and it's expiration time so you only need to request a new challenge if it has expired.

As regards which modes challenge/response is available on, my guess would be all of them. I would imagine the docs are more likely to be wrong about that!
(Reply) (Parent) (Thread)
[User Picture]From: whomiga
2004-05-07 12:07 am (UTC)

Re: Proper calling of challenge authorization, and When is it needed, or even available?

A challenge apparently expires after 60 seconds according to checks I've made. In many other systems I've seen (not mentioned one way or the other in the Documentation here), a challenge/response is only valid until
1) The time limit expires, or
2) The response is issued

The specifics of what to do there and why the documentation appears to be incomplete, I suppose is the real question...
(Reply) (Parent) (Thread)