Forums, Knowledge Base and FAQs/Forums/Feature Requests
PlannedDoneNot planned
Better authentication for custom widgets
Anmol Madan
suggested this on February 12, 2011 03:15
Hi Paul / Geckoboard,
We really like your app. However, we have a lot of relevant user-related data that we'd like to display on geckoboard. Are you planning to upgrade the auth mechanism from HTTP basic auth to something better?
We're concerned that the current auth puts our user data at risk. Our alternative is to build our own dashboard implementation.
Thanks,
-A
Comments
Hi,
We are always looking at how to improve the service at what would be best for our users so are definitely open to changing the auth mechanism. What would you feel would be a better alternative for you? It would be great to know what would make you feel like your data is more secure.
Ciara
I am not a security expert, but I can suggest an easy solution to would work for us, and I expects for many other folks as well.
For the custom widgets, you could send the username and password as parameters in the GET request over HTTPS/SSL. The custom app would either report some standard authentication failure (if the username/password were invalid) or the data in JSON/XML formats as you do now.
I can setup a test server for you on our end very quickly, and also help with documentation etc. if you can implement this feature for us.
(To maintain the easy UI for new users in your current implementation, perhaps you'd add these as another item, "secure authenticated widgets" in the custom widgets menu)
Hi Anmol - are you suggesting embedding the username/password as URL parameters?
Perhaps send the username / password as part of a POST request. As long as it was only worked with HTTPS connections, that would be fine.
We're open to almost any other solution that provides a higher level of security than basic auth over clear HTTP. We have user data to display, and basic auth over clear text is a security risk.
[Sorry for the slow response, was traveling]
In a similar vein, we currently have to open our API access to all of Amazon's Web Services network (*.amazonaws.com). We'd really prefer to not have to do that. If we could narrow the incoming requests from Geckoboard to some known/trusted addresses, or a single hostname, that would be preferable.
To access secure feeds, it would be sufficient to enter the username and password for HTTP Basic Authentication and support HTTPS as the URL scheme.
Without such protection, it is hard for us to recommend geckoboard as a visualization tool for real-time business data as we would need to open access to the customer data.
Hi - any update on this? I would also like to use Geckoboard but am being challenged by our security people to produce more info on how security works. I think I might be ok to publish anonymous Google Analytics data (visits, views etc.) but wouldn't be able to publish any internal messages e.g. business results via custom widgets
Currently, you can only use the API key to 'secure' the widget, with the password being set to X. You can also whitelist our IP addresses to restrict access to the data calls. However, I'll flag up this request for password authentication as it's related to something we're working on shortly and so could be included in that. Thanks.
Hi Gareth, any updates?
No, i'll update this topic when I have more info. Thanks.
I would also like to request this feature - secure https polling connections.