Why does Google Reader API need a Token for Edit actions? Is access_token enough?

90 views
Skip to first unread message

Tony Zeng

unread,
Aug 24, 2012, 7:43:44 AM8/24/12
to foug...@googlegroups.com
Hello.

Just being curious about the design of Google Reader API.

So, for edit actions (edit tag, remove tag, etc), we need a Token for in the POST request.

In order to get the Token, we need to GET one providing the access_token value.

I am just curious, why designing like this? 

The point is that access_token is already a door which the user allows us to access, why set the second door? If I need something else (other than access_token) to get the Token, I can understand this design (it is like a different key for the 2nd door). But I need only access_token (the same key for 2 doors), so I feel strange about it.

Why not just use access_token for edit actions, like for reading actions?

This design gives a trouble for using the API. 

I have to regularly update my Token value and also take care of the possible Token Invalid error. For edit actions, there are chances, I need two requests to get an action done.

Anyone can explain it to me?

Thanks

Mihai Parparita

unread,
Aug 24, 2012, 1:31:51 PM8/24/12
to foug...@googlegroups.com
The two tokens operate at two different layers:

1. At the authentication layer, access_token is used to authenticate the user.
2. At the API layer, T (action token) is used to prevent cross-site-request forgery attacks (http://en.wikipedia.org/wiki/Cross-site_request_forgery)

Authentication can be done in other ways. Specifically, when using the main Google Reader website, authentication is done via cookies. In that case, if we didn't require an action token, then another site could blindly send a http://www.google.com/reader/api/0/mark-all-as-read POST request. It wouldn't be able to read the response, but the request would still affect the currently logged-in user's account.

You are right that in cases where the authentication is done via a query parameter (as opposed to something "ambient" like cookies), then we don't really need the action token to protect against CSRF. But when Reader was first launched, the only authentication method that was supported was cookie-based, so this wasn't a need then. Later, when OAuth support was added, the complexity of making the action token optional depending on the authentication method was deemed unnecessary. One of the perils of using an unofficial, unsupported API.

Mihai
Reply all
Reply to author
Forward
0 new messages