evaluate doctormo's browserless credentials module for use in U1

Elliot Murphy wrote:
> Public bug reported:
>
>>From email conversation with Martin on the Ayatana list:
>
> "I have a python module that
> does browserless credentials for launchpad by using the cookie key
> returned from a logon request and then also keys from the launchpad API,
> to avoid breaking workflow for the naultius launchpad plugin.
>
> http://doctormo.wordpress.com/2009/09/18/launchpad-naultius-sneak-
> preview/
>
> End result is the ability to pair the desktop app and use the lp API for
> most things and also manage ssh keys (required for bzr/lp integration)
> which is currently not supported by the lp API."
>
> This sounds way cool. This bugtask is about evaluating the browserless
> credentials work that Martin has done and discussing how it might apply
> to U1 and the Ubuntu desktop overall, along with any changes that might
> be needed in the U1/launchpad SSO system to make things work even more
> smoothly.

This is something I considered since I've done it before.
It can be fragile though since changes to the SSO login could break it.

On Thu, 2009-10-08 at 14:45 +0000, Elliot Murphy wrote:
> Public bug reported:
>
> >From email conversation with Martin on the Ayatana list:
>
> "I have a python module that
> does browserless credentials for launchpad by using the cookie key
> returned from a logon request and then also keys from the launchpad API,
> to avoid breaking workflow for the naultius launchpad plugin.

I thought there was a /design goal/ of the SSO service that users would
never enter credentials outside their browser - that we'd leverage the
browser as the 'trusted environment', to make it harder for folk to
perform phishing attacks...

-Rob

I've always thought that the browser _was_ the non trusted environment, precisely because it's prone to fishing attacks.

It's not like the desktop would store service passwords, just service authorisation keys.