Simon Fell > Its just code > API Authentication List

Tuesday, November 28, 2006

Scott over at Perspectives on Salesforce has a post about an API Authentication List feature, a way to restrict what API based applications can do. This is something I've been thinking about a lot, allowing application white listing (i.e. you can use Outlook Edition and Offline, but not the data loader or sf3), or Application X only requires access to accounts, make sure that's all it can access. All great ideas and features, but wait, how can the API server tell that the application making the request is in fact Outlook Edition and not SoqlXplorer ? The problem is that while you can authenticate a person, authenticating an application it impossible to do 100% securely (unless the client OS has TPM, and it can authenticate the application for you).

In his idea's exchange entry, Scott has a screen shot from Flickr which provides some similar features. If you go look at the Flickr authentication spec you'll see that it identifies applications using a shared secret, this secret never goes over the wire, so that's good, and if the application is another web based application, then its reasonable to assume that the secret is reasonably secret, you've got to hack the web app server to try and find the secret. However for desktop client applications, that shared secret has to be on the client machine somewhere, and in that case, its not reasonable to assume its safe, any determined person will be able to dig the secret out of where ever you've stashed it away. (and today's threat model is that it only take one determined person to work it out and post it for all to find, not that everyone has to work it out themselves)

Is that secure enough? I don't know, it largely depends on what you're trying to prevent. To stop people trying out random applications on their production data, yeah, I'd think so. To stop a 3rd party application stealing all your data? not if they were determined enough, to stop a disgruntled employee who's about to quit and want to take a copy of all the sales data with them? would likely depend on how well they can drive google. What other options are there? well a blanket profile level API access enabled yay / nay would work, although I'd suspect this is only useful in a fairly small subset of cases.