Provide a user-friendly way of authorizing desktop, GUI launchpadlib applications
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
launchpadlib |
Fix Released
|
High
|
Leonard Richardson |
Bug Description
To stop people from writing their own fake web browsers (see bug 387297) that take Launchpad credentials and automatically authorize OAuth tokens, I wrote my own fake web browser. The most recent Launchpad release changes the login process in a way that breaks all fake web browsers, including the launchpadlib one. The login process now goes through login.launchpad.net instead of asking you for username and password directly.
We can do more work, do some more protocol sniffing, and fix the fake web browser to do whatever login.launchpad.net wants the end-user to do. This will fix the problem in the short term. However, there's no guarantee it will stop there. Whenever the login procedure changes, this fake web browser (and all apps that use it, including apps in old versions of Ubuntu) will break.
This is not an academic worry. We plan to make Launchpad a general OpenID consumer. This means that login.launchpad.net will redirect the client to an external site, which can do whatever it wants to authenticate the end-user: make them solve a CAPTCHA, or have them upload a picture from their webcam and do facial recognition, or whatever. In the general case, authenticating with an OpenID provider requires a fully general hypermedia-aware web client, ie. a web browser. At this point there will simply be no way to fix the fake browser.
We've already had a taste of this problem. If the user doesn't have a Launchpad account, we open up their web browser and tell them to come back once they've created an account. We didn't want to have to reimplement the interactions between a web browser and Launchpad that are necessary to create a Launchpad account, so we punted by using the real web browser.
I had a long conversation with Martin Owens (doctormo) about this and I want to summarize one idea even though this bug is really only about the short-term problem, so it'll be written down somewhere:
Create a desktop application whose job is to manage _all_ desktop integration with the Launchpad web service. Create a second web service that allows a client to manage credentials for the Launchpad web service.
The desktop application is granted access to this second "management" web service through the web browser. Other desktop applications are written to ask this application for access to the web service rather than going through Launchpadlib. When an application "foo" asks for access to the web service, the manager application uses the management web service to 1) get a list of acceptable access levels and 2) create a new OAuth access token for the "foo" application. The application then gives "foo" only the information it needs to create an authenticated Launchpad object.
This way the end-user only has to interact with their web browser when the manager application does not have a valid credential with the management web service. Obviously this is a big undertaking that still needs a lot of talking out, but that's the general idea.
summary: |
- Trusted credential-management apps are broken and may be doomed + Trusted credential-management apps are broken and doomed |
summary: |
- Trusted credential-management apps are broken and doomed + Provide a user-friendly way of authorizing desktop, GUI launchpadlib + applications |
Changed in launchpadlib: | |
status: | Triaged → In Progress |
assignee: | nobody → Leonard Richardson (leonardr) |
importance: | Low → High |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpadlib: | |
status: | Fix Committed → Fix Released |
Leonard and I discussed this with Jonathan Lange, Launchpad product strategist, today.
- We do still want to support being an openid consumer. (This is practically less important to us than other goals, but it is planned and desired nonetheless.)
- This means that, yes, the fake browser approach is doomed. We need to communicate this.
- We are in favor of the "management" desktop application that gets the one-time LP credentials. As of our current thinking, we would expect to support this with three parts.
* We would create and expose an API for the management desktop application to use to control the access of other programs.
* We would create a special standalone type of access for a user to grant to the management application. The management application would need this type of access to use the API discussed above.
* We would make a special webpage for this management desktop application to send the user to for granting this kind of access. The webpage would want to be particularly careful in its language, warning the user what is going on.
- I am marking this as a low priority, but if an Ubuntu developer begins work on the management desktop application, in coordination with Jonathan and other interested parties, we will raise the priority.