These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
12Next page
 

Discussion: Generate an XML API key via the SSO

First post First post
Author
Previous Topic Next Topic
CCP FoxFour
C C P
C C P Alliance
#1 - 2014-11-02 12:38:46 UTC
Hey guys,

The XML API is not going anywhere for a fairly long time. It's also heavily used on things like mobile. Even on the desktop, going to generate an API key is... not so fun. We are starting, and by starting I mean I will ask the SSO team after Phoebe is out, to look into if it would be possible to have the SSO create and return an API key for you.

There are a few things that would have to be solved if we did this though and a few things I would love feedback on from you guys.

In my opinion showing the user what information they are giving access to is going to be one of the hardest things. Listing individual access masks that are being requested and what they possibly give, and then having that change depending on the application, would just be confusing, in my opinion. Do you think it would be acceptable to have applications that are going to do this always request full character API keys? Then we can have it be consistent. Maybe we break it down into the sections listed on the API keys page? Maybe someone can convince me there is a clean way to show all of it? When I get back in the office I will post a screen shot of what it looks like now to request scopes from the SSO, but we are already worried about showing too many things there.

The other thing is should we allow corp keys to be generated this way? You would really have no way of knowing when someone logs in for the first time if they can create one.

Would each application creating it's own API key become to many keys in the API keys page?

Any other comments or suggestions if we go ahead looking into this?

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Two step
Aperture Harmonics
#2 - 2014-11-02 13:29:31 UTC
CCP FoxFour wrote:
Hey guys,

The XML API is not going anywhere for a fairly long time. It's also heavily used on things like mobile. Even on the desktop, going to generate an API key is... not so fun. We are starting, and by starting I mean I will ask the SSO team after Phoebe is out, to look into if it would be possible to have the SSO create and return an API key for you.

There are a few things that would have to be solved if we did this though and a few things I would love feedback on from you guys.

In my opinion showing the user what information they are giving access to is going to be one of the hardest things. Listing individual access masks that are being requested and what they possibly give, and then having that change depending on the application, would just be confusing, in my opinion. Do you think it would be acceptable to have applications that are going to do this always request full character API keys? Then we can have it be consistent. Maybe we break it down into the sections listed on the API keys page? Maybe someone can convince me there is a clean way to show all of it? When I get back in the office I will post a screen shot of what it looks like now to request scopes from the SSO, but we are already worried about showing too many things there.

The other thing is should we allow corp keys to be generated this way? You would really have no way of knowing when someone logs in for the first time if they can create one.

Would each application creating it's own API key become to many keys in the API keys page?

Any other comments or suggestions if we go ahead looking into this?


Lots of the stuff in the API is not super sensitive, and some stuff is. Perhaps show people big warnings if things like Assets, Eve mail or wallet log has been requested and otherwise just list the other stuff.

CSM 7 Secretary CSM 6 Alternate Delegate @two_step_eve on Twitter My Blog
Logix42
Taxation Damnation
#3 - 2014-11-02 14:15:45 UTC
I think this is a good idea, but it is vital that the user give explicit permission for this to happen.

I already create a separate API key for every application that I use and I suspect a lot of people do. (Maybe you could run some numbers for the average number of API keys for people who use them) I do this so that I can very easily revoke access to any single application should I discover it is a SPAI or whatnot. So I don't think it's crazy to create a whole bunch of keys, just make sure they're named decently.

What immediate comes to mind of how this should be implemented is something similar to the way an android app requests permissions for things on your phone through Google Play. Example Image

Go beyond the edge of space... Explore
CCP FoxFour
C C P
C C P Alliance
#4 - 2014-11-02 14:33:50 UTC
Logix42 wrote:
I think this is a good idea, but it is vital that the user give explicit permission for this to happen.


Most definitely.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Querns
Science and Trade Institute
Caldari State
#5 - 2014-11-02 15:19:58 UTC
Would it be possible for the xml api key being returned to have its "No Expiry" flag set (or, better yet, for the requesting application to ask for a specific expiration time, or "no expiry"?) Right now, createPredefined does not set this automatically, and if we are looking for true passthrough api key generation, it's going to suck to require users to make the key, then hoof it back to the normal API key generation page to tick it as "no expiry."

I ask because I'm guessing the decision to leave "no expiry" unchecked with the current createPredefined endpoint was deliberate.

This post was crafted by the wormhole expert of the Goonswarm Economic Warfare Cabal, the foremost authority on Eve: Online economics and gameplay.
Death Escapist
Ministry of War
Amarr Empire
#6 - 2014-11-02 15:48:45 UTC  |  Edited by: Death Escapist
Having a full api key as default is a complete no no. People dont just talk about eve in mails as an example - so there are very different levels of how sensitive people are about handing out their API key to start with.

Having anyone else than CCP being able to create API keys is another level where trust is going to be a serious issue. I for one would never ever trust anyone but CCP themselves to hand me my API key - even if you would outsource it to an official 'provider'. It would be a reason for me to leave actually.

As of now especially new players and non-technical players are completely overwhelmed with the abilities of the api and cannot possibly make a decent decision if this is a good thing to hand out or not. I personally have spend many a hour to explain what and why handing out the api involves and often people refuse right out to do it when they understand that mails etc are going to be visible with a full api key.

Edit: The planned listing has to be dead simple and cannot be on a level that requires a player to understand inside-Eve as most corporations and alliances now already ask for a full api key when a player wants to join. Which is imho a good sign that even experienced players dont know what that actually means - many i asked just answered: everyone else does it too.

'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
CCP FoxFour
C C P
C C P Alliance
#7 - 2014-11-02 16:02:18 UTC
Death Escapist wrote:
Having anyone else than CCP being able to create API keys is another level where trust is going to be a serious issue. I for one would never ever trust anyone but CCP themselves to hand me my API key - even if you would outsource it to an official 'provider'. It would be a reason for me to leave actually.


Where did this come from?

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Death Escapist
Ministry of War
Amarr Empire
#8 - 2014-11-02 16:04:17 UTC  |  Edited by: Death Escapist
CCP FoxFour wrote:
Death Escapist wrote:
Having anyone else than CCP being able to create API keys is another level where trust is going to be a serious issue. I for one would never ever trust anyone but CCP themselves to hand me my API key - even if you would outsource it to an official 'provider'. It would be a reason for me to leave actually.


Where did this come from?


I should have phrased that better - that is reflecting how players without the knowledge think about clicking a predefined set for the api key. We as users have to trust that they really just request the needed elements without really knowing why because their application/service is a closed blackbox.

'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
CCP FoxFour
C C P
C C P Alliance
#9 - 2014-11-02 16:20:34 UTC
Death Escapist wrote:
CCP FoxFour wrote:
Death Escapist wrote:
Having anyone else than CCP being able to create API keys is another level where trust is going to be a serious issue. I for one would never ever trust anyone but CCP themselves to hand me my API key - even if you would outsource it to an official 'provider'. It would be a reason for me to leave actually.


Where did this come from?


I should have phrased that better - that is reflecting how players without the knowledge think about clicking a predefined set for the api key. We as users have to trust that they really just request the needed elements without really knowing why because their application/service is a closed blackbox.


Ah yes. This is what it looks like right now if your application requests permissions from CREST via the SSO: http://i.imgur.com/L939SZ5.jpg

I imagine if we had it so an application could request to create an API key we would have something similar. My concern however is showing everything would be very big and hard to understand.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Death Escapist
Ministry of War
Amarr Empire
#10 - 2014-11-02 16:30:26 UTC  |  Edited by: Death Escapist
CCP FoxFour wrote:


Ah yes. This is what it looks like right now if your application requests permissions from CREST via the SSO: http://i.imgur.com/L939SZ5.jpg

I imagine if we had it so an application could request to create an API key we would have something similar. My concern however is showing everything would be very big and hard to understand.



That actually already looks a lot easier to understand from a users point of view. Now just replace the wording with some simple text like 'Allows the requesting application to read all information related to your personal contact list including standings and watch list settings' - and you are heading into the right direction. Including a check box for each section will ensure that a user isnt forced into a 'yes' or 'no' decision for the entire thing. That means it thereby could be used to reply with feedback what the user would agree to and enable the application provider to possibly make changes if many users seem to have a hard time with certain sections.

'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#11 - 2014-11-02 18:47:19 UTC
I'd suggest, if it's viable, treating it much like privileges on Android are shown.

So you have some top level headings, but if you want to see the actual details, you can hit a drop down and get details.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Saisin
Chao3's Rogue Operatives Corp
#12 - 2014-11-02 19:39:44 UTC
I strongly oppose anything geared toward having API keys generated via any kind of SSO login, except from CCP's sites.

The concept of API is critical to understand for people to give their API key to anyone else. They may not realize the scope of what they are giving out, and more mportantly may be conned to give away too much.

Going through the current process is a way to not trivially create API keys. It is not con proof but at least requires a bit of research and brain cycles dedicated to creating that API key.

Linking an API key to an act as simple and as common as signing on somewhere (under the hospice of security commonly associated with SSO) is room for abuse and exploitation of characters data by unscrupulous players that fully intend to grief or use data for their own in-game benefit.

This is perception issue, and API key needs to remain clearly separated from SSO.

Vote Borat Guereen for CSM XII

Check out the Minarchist Space Project
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#13 - 2014-11-02 20:11:48 UTC
Saisin wrote:
I strongly oppose anything geared toward having API keys generated via any kind of SSO login, except from CCP's sites.

The concept of API is critical to understand for people to give their API key to anyone else. They may not realize the scope of what they are giving out, and more mportantly may be conned to give away too much.

Going through the current process is a way to not trivially create API keys. It is not con proof but at least requires a bit of research and brain cycles dedicated to creating that API key.

Linking an API key to an act as simple and as common as signing on somewhere (under the hospice of security commonly associated with SSO) is room for abuse and exploitation of characters data by unscrupulous players that fully intend to grief or use data for their own in-game benefit.

This is perception issue, and API key needs to remain clearly separated from SSO.



What I'd expect, process wise:

You go to a site.
you hit the log in link.
This sends you to the SSO site to log in.
You give it your details.
you pick your character.
It says 'do you want to create a key with the following things for this site'
you say 'yes'
it passes the key to the site, along with who you are (in the normal SSO way)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Death Escapist
Ministry of War
Amarr Empire
#14 - 2014-11-02 20:52:26 UTC  |  Edited by: Death Escapist
Steve Ronuken wrote:
Saisin wrote:
I strongly oppose anything geared toward having API keys generated via any kind of SSO login, except from CCP's sites.

The concept of API is critical to understand for people to give their API key to anyone else. They may not realize the scope of what they are giving out, and more mportantly may be conned to give away too much.

Going through the current process is a way to not trivially create API keys. It is not con proof but at least requires a bit of research and brain cycles dedicated to creating that API key.

Linking an API key to an act as simple and as common as signing on somewhere (under the hospice of security commonly associated with SSO) is room for abuse and exploitation of characters data by unscrupulous players that fully intend to grief or use data for their own in-game benefit.

This is perception issue, and API key needs to remain clearly separated from SSO.



What I'd expect, process wise:

You go to a site.
you hit the log in link.
This sends you to the SSO site to log in.
You give it your details.
you pick your character.
It says 'do you want to create a key with the following things for this site'
you say 'yes'
it passes the key to the site, along with who you are (in the normal SSO way)



I have no figures about how many people use SSO so far but what personally irritates me with the SSO is that i cannot determine a clear visual difference between my normal account management login and the SSO login page - which so far has kept me clearly away from using it at all.

Edit: To clarify that - Eve contains payment data - a social network doesnt. So i know that i am not the only one that is really hesitating to use SSO to begin with unless its very visible what kind of logon happens.

'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
Kali Izia
GoomWaffe
#15 - 2014-11-02 21:04:35 UTC
CCP FoxFour wrote:
In my opinion showing the user what information they are giving access to is going to be one of the hardest things. Listing individual access masks that are being requested and what they possibly give, and then having that change depending on the application, would just be confusing, in my opinion.

The way other apps like Twitter, Facebook etc do this is list it on the Oauth login page.
Let us set it in the scope, and when the user is selecting their character they'd see something like

Quote:
AppName is requesting to create an API key with access to your:

  • Assets
  • Wallet
  • etc

Either use the same names as on the current API page for consistency, or group them to make it more readable.

You'd probably want something similar with authenticated CREST and having different scopes to limit access anyway, so why not do it the right way now?
Fake edit: I see the screenshot with the CREST scopes, it seems like that's already done so something that like that would be fine for this too.
Makari Aeron
Imperial Shipment
Amarr Empire
#16 - 2014-11-02 21:05:21 UTC
Personally, I had hoped SSO would replace the XML API and allow the SSO to create a special, partial API-like thing that only worked for that site and was stored in the site itself, not on CCP's servers. Kinda like how you see the random websites that use social networking site logins. "Login with google and let it access X of your personal information."

CCP RedDawn: Ugly people are just playing life on HARD mode. Personally, I'm playing on an INFERNO difficulty.

CCP Goliath: I often believe that the best way to get something done is to shout at the person trying to help you. http://goo.gl/PKGDP
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#17 - 2014-11-02 21:17:38 UTC
Makari Aeron wrote:
Personally, I had hoped SSO would replace the XML API and allow the SSO to create a special, partial API-like thing that only worked for that site and was stored in the site itself, not on CCP's servers. Kinda like how you see the random websites that use social networking site logins. "Login with google and let it access X of your personal information."



That's what CREST is.

It's just not quite ready yet.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Kali Izia
GoomWaffe
#18 - 2014-11-02 21:46:24 UTC
CCP FoxFour wrote:

Ah yes. This is what it looks like right now if your application requests permissions from CREST via the SSO: http://i.imgur.com/L939SZ5.jpg

I imagine if we had it so an application could request to create an API key we would have something similar. My concern however is showing everything would be very big and hard to understand.

After seeing this, maybe you could present it something like this mockup?
http://i.imgur.com/NvJcZPQ.png

The key would be to use common groupings, but more specific than the API page so you can still see at a glance what that app is trying to do. And then you can click on those groups to drill down to see exactly what it's requesting.
For example the "Private Information" group might be broken down into something like:

Assets:

  • AssetList
  • Locations
  • Contracts


Account Information:

  • AccountStatus
  • CharacterInfo
  • SkillQueue
  • SkillInTraining
  • CharacterSheet


Calendar:

  • UpcomingCalendarEvents
  • CalendarEventAttendees


Slvrsmth
Native Freshfood
Minmatar Republic
#19 - 2014-11-03 10:03:23 UTC
This is the next best thing after CREST-ifying all the existing protected endpoints.

Carebearium - find the best solar system for you!
Makari Aeron
Imperial Shipment
Amarr Empire
#20 - 2014-11-03 12:12:00 UTC
Steve Ronuken wrote:
Makari Aeron wrote:
Personally, I had hoped SSO would replace the XML API and allow the SSO to create a special, partial API-like thing that only worked for that site and was stored in the site itself, not on CCP's servers. Kinda like how you see the random websites that use social networking site logins. "Login with google and let it access X of your personal information."



That's what CREST is.

It's just not quite ready yet.


And I've been waiting for it for years, I had just hoped SSO would have what I expected CREST to do. I'll just have to go find my bullwhip and energy drinks.... :P

CCP RedDawn: Ugly people are just playing life on HARD mode. Personally, I'm playing on an INFERNO difficulty.

CCP Goliath: I often believe that the best way to get something done is to shout at the person trying to help you. http://goo.gl/PKGDP
12Next page