A Different Model For Web Services Authorization

In my last post I set out to describe how easy it is to extract private keys from desktop software. As I was concluding I stumbled on an alternative approach that might be more secure in some circumstances. I didn't really go into details, so here's an expansion of the idea.

Current API authentication mechanisms including Flickr Auth, OAuth, Yahoo BBAuth and Google AuthSub work by allowing users to grant an application the right to act for the user on the site. Some implementations allow the user to grant access to only a subset of the functionality — Flickr lets users grant just read access, Google lets users grant access to just one class of data (for example Google Docs but not Google Calendar). But still, the user doesn't know which specific operations they're allowing to be carried out. This wouldn't matter so much if the user can trust the application that they're granting access to, but there's no way to provide for that completely.

Another approach might be to give third-party applications the ability to submit sets of changes to be applied to a user's account, but require the user to approve them through the service provider's web site before they're applied to the the user's real data. For example, a Flickr upload might look like this:

Client makes API request flickr.transaction.create(total_files=20, total_data=20M)
Flickr responds with transaction id X and a maximum lifetime for the transaction
Flickr responds with an URL to direct the user's browser to to:
- associate the transaction with an account, and
- preview, permit and commit the changes

To a user this isn't going to look or feel to different from the current Flickr upload scenario where on completion they're presented with a set of uploaded photos and offered the opportunity to make metadata changes.

The key advantage here from a security standpoint is that users approve actions not applications. The challenge of expressing a set of changes to a user clearly is not small but unlike the challenge of identifying and trusting applications it's solvable.

This model probably only makes sense for write-oriented sessions, and for infrequent, large write sessions (such as Flickr uploads) rather than frequent, small writes (like Twitter posting).

These ideas aren't well thought out in my head, they're fresh from me trying to come up with a workable model for API authentication and authorization that doesn't depend on trusting the identity of clients. I'd really welcome feedback and ideas on how to take this forward and feedback implementers on the feasibility of adopting a model like this.