ozten/gist:5492908

## gistfile1.txt
Mozilla websites which consume the MozLDAP web services should do so in a secure manner.

1) They should be done of https

2) They should sign their requests

3) MozLDAP should verify request signatures, before servicing a request.

Each webapp would have to register the following:

    AppID: socorro-123456
    Secret: somereallylongsecretwhichwasautogenterated

(I need to play with the real APIs more, bear with me)


Signing: For a request to `/exists?mail=foo@mozilla.com` the consumer website (say socorro) would do the following:

1) base64urlencode the AppID
2) base64urlencode the API `exists`
3) base64urlencode the request parameters `mail=foo@mozilla.com`
4) base64urlencode the current time (unix time)
5) Sign this string using hmac SHA256
6) base64urlencode that hmac signature
7) Make a token by concatenating these together separated by `.`.
8) append this token in a `token` parameter to the original request.

Example with fake data

    https://mozldap.mozlla.org/exists?mail=foo@mozilla.com&token=Qfsblah.Qlsdfljk34.Qsdlkfjdfjd.Qsldkfjjek.Qsomereallylongsignature

Verification: MozLDAP servers will have an list of AppIDs and Secret Keys. When servicing requests, they will make sure they have been signed properly based on the `token` parameter.

1) Get token
2) Split on `.` and make sure there are the required number of parts
3) base64urldecode each part
4) Make sure timestamp is within an acceptable range (expiration)
5) Using the AppID, look up that apps secret key (from config, disk, database or whatever)
6) Go through the signing steps (above in Signing section). Compare the signature we get with the signature which was pulled out of this token


If the signature is valid, continue servicing the request. Otherwise respond with a 401 or other relevant HTTP code.

Benefits - Operations can lock down who can use mozLDAP. They can change secret AppIDs and Secret keys as needed.
	Mozilla websites which consume the MozLDAP web services should do so in a secure manner.

	1) They should be done of https

	2) They should sign their requests

	3) MozLDAP should verify request signatures, before servicing a request.

	Each webapp would have to register the following:

	AppID: socorro-123456
	Secret: somereallylongsecretwhichwasautogenterated

	(I need to play with the real APIs more, bear with me)


	Signing: For a request to `/exists?mail=foo@mozilla.com` the consumer website (say socorro) would do the following:

	1) base64urlencode the AppID
	2) base64urlencode the API `exists`
	3) base64urlencode the request parameters `mail=foo@mozilla.com`
	4) base64urlencode the current time (unix time)
	5) Sign this string using hmac SHA256
	6) base64urlencode that hmac signature
	7) Make a token by concatenating these together separated by `.`.
	8) append this token in a `token` parameter to the original request.

	Example with fake data

	https://mozldap.mozlla.org/exists?mail=foo@mozilla.com&token=Qfsblah.Qlsdfljk34.Qsdlkfjdfjd.Qsldkfjjek.Qsomereallylongsignature

	Verification: MozLDAP servers will have an list of AppIDs and Secret Keys. When servicing requests, they will make sure they have been signed properly based on the `token` parameter.

	1) Get token
	2) Split on `.` and make sure there are the required number of parts
	3) base64urldecode each part
	4) Make sure timestamp is within an acceptable range (expiration)
	5) Using the AppID, look up that apps secret key (from config, disk, database or whatever)
	6) Go through the signing steps (above in Signing section). Compare the signature we get with the signature which was pulled out of this token


	If the signature is valid, continue servicing the request. Otherwise respond with a 401 or other relevant HTTP code.

	Benefits - Operations can lock down who can use mozLDAP. They can change secret AppIDs and Secret keys as needed.