Forums, Knowledge Base and FAQs/Forums/Feature Requests

PlannedDoneNot planned

Better authentication for custom widgets

Anmol Madan
suggested this on February 12, 2011 03:15

Hi Paul / Geckoboard,

We really like your app. However, we have a lot of relevant user-related data that we'd like to display on geckoboard. Are you planning to upgrade the auth mechanism from HTTP basic auth to something better?

We're concerned that the current auth puts our user data at risk. Our alternative is to build our own dashboard implementation.

Thanks,
-A

 

Comments

User photo
Ciara
Geckoboard

Hi,

We are always looking at how to improve the service at what would be best for our users so are definitely open to changing the auth mechanism. What would you feel would be a better alternative for you? It would be great to know what would make you feel like your data is more secure.

Ciara

February 14, 2011 11:27
User photo
Anmol Madan

I am not a security expert, but I can suggest an easy solution to would work for us, and I expects for many other folks as well.

For the custom widgets, you could send the username and password as parameters in the GET request over HTTPS/SSL. The custom app would either report some standard authentication failure (if the username/password were invalid) or the data in JSON/XML formats as you do now.  

I can setup a test server for you on our end very quickly, and also help with documentation etc. if you can implement this feature for us.

(To maintain the easy UI for new users in your current implementation, perhaps you'd add these as another item, "secure authenticated widgets" in the custom widgets menu)

February 15, 2011 22:32
User photo
Paul Joyce
Geckoboard

Hi Anmol - are you suggesting embedding the username/password as URL parameters?

February 16, 2011 16:53
User photo
Anmol Madan

Perhaps send the username / password  as part of a POST request. As long as it was only worked with HTTPS connections, that would be fine.

We're open to almost any other solution that provides a higher level of security than basic auth over clear HTTP. We have user data to display, and basic auth over clear text is a security risk.

[Sorry for the slow response, was traveling]

 

February 21, 2011 23:04
User photo
Michael Styne

In a similar vein, we currently have to open our API access to all of Amazon's Web Services network (*.amazonaws.com). We'd really prefer to not have to do that. If we could narrow the incoming requests from Geckoboard to some known/trusted addresses, or a single hostname, that would be preferable.

February 23, 2011 16:44
User photo
mcarrer

To access secure feeds, it would be sufficient to enter the username and password for HTTP Basic Authentication and support HTTPS as the URL scheme.

Without such protection, it is hard for us to recommend geckoboard as a visualization tool for real-time business data as we would need to open access to the customer data.


April 15, 2012 02:24
User photo
Neil Richardson

Hi - any update on this? I would also like to use Geckoboard but am being challenged by our security people to produce more info on how security works.  I think I might be ok to publish anonymous Google Analytics data (visits, views etc.) but wouldn't be able to publish any internal messages e.g. business results via custom widgets

August 29, 2012 13:27
User photo
Gareth Wilson
Geckoboard

Currently, you can only use the API key to 'secure' the widget, with the password being set to X. You can also whitelist our IP addresses to restrict access to the data calls. However, I'll flag up this request for password authentication as it's related to something we're working on shortly and so could be included in that. Thanks.

August 30, 2012 09:59
User photo
Clin

Hi Gareth, any updates?

January 02, 2013 17:30
User photo
Gareth Wilson
Geckoboard

No, i'll update this topic when I have more info. Thanks.

January 07, 2013 10:29
User photo
Matthew Eshleman

I would also like to request this feature - secure https polling connections.   

April 08, 2013 20:50
User photo
Simon L

We are also waiting for this.. it looks like a long wait..

July 26, 2013 05:14
User photo
trent kocurek 

I would love to see this as well. Our application data API calls are behind a token based authentication solution. I would love the ability to set Header values manually. Any word on this?

September 13, 2013 15:49