Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Friends of the Unofficial Google Reader API
Home
+ new post
About this group
Join this group
Why does Google Reader API need a Token for Edit actions? Is access_token enough?
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   2 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Tony Zeng  
View profile   Translate to Translated (View Original)
 More options Aug 24 2012, 7:43 am
From: Tony Zeng <massd...@gmail.com>
Date: Fri, 24 Aug 2012 04:43:44 -0700 (PDT)
Local: Fri, Aug 24 2012 7:43 am
Subject: Why does Google Reader API need a Token for Edit actions? Is access_token enough?
Print | Individual message | Show original | Report this message | Find messages by this author

Hello.

Just being curious about the design of Google Reader API.

So, for edit actions (edit tag, remove tag, etc), we need a Token for in
the POST request.

In order to get the Token, we need to GET one providing the access_token
value.

*I am just curious, why designing like this? *

The point is that access_token is already a door which the user allows us
to access, why set the second door? If I need something else (other than
access_token) to get the Token, I can understand this design (it is like a
different key for the 2nd door). But I need only access_token (the same key
for 2 doors), so I feel strange about it.

Why not just use access_token for edit actions, like for reading actions?

*This design gives a trouble for using the API. *

I have to regularly update my Token value and also take care of the
possible Token Invalid error. For edit actions, there are chances, I need
two requests to get an action done.

Anyone can explain it to me?

Thanks


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Mihai Parparita  
View profile  
 More options Aug 24 2012, 1:31 pm
From: Mihai Parparita <mih...@google.com>
Date: Fri, 24 Aug 2012 10:31:51 -0700
Local: Fri, Aug 24 2012 1:31 pm
Subject: Re: Why does Google Reader API need a Token for Edit actions? Is access_token enough?
Print | Individual message | Show original | Report this message | Find messages by this author

The two tokens operate at two different layers:

1. At the authentication layer, access_token is used to authenticate the
user.
2. At the API layer, T (action token) is used to prevent cross-site-request
forgery attacks (http://en.wikipedia.org/wiki/Cross-site_request_forgery)

Authentication can be done in other ways. Specifically, when using the main
Google Reader website, authentication is done via cookies. In that case, if
we didn't require an action token, then another site could blindly send a
http://www.google.com/reader/api/0/mark-all-as-read POST request. It
wouldn't be able to read the response, but the request would still affect
the currently logged-in user's account.

You are right that in cases where the authentication is done via a query
parameter (as opposed to something "ambient" like cookies), then we don't
really need the action token to protect against CSRF. But when Reader was
first launched, the only authentication method that was supported was
cookie-based, so this wasn't a need then. Later, when OAuth support was
added, the complexity of making the action token optional depending on the
authentication method was deemed unnecessary. One of the perils of using an
unofficial, unsupported API.

Mihai


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google