Not a developer? Go to MovableType.com

Documentation

Atom Authentication

Six Apart Atom implementations all support WSSE based authentication. WSSE is a form of authentication that involves taking a password and encrypting in such a way that it is safe to use over a unencrypted connection.

Atom authentication uses WSSE, and is represented as an “X-WSSE” HTTP header. A WSSE HTTP header contains the following attributes.

  • Username - The username that the user enters (the TypePad username).
  • Nonce - A secure token generated anew for each HTTP request.
  • Created - The ISO-8601 timestamp marking when Nonce was created.
  • PasswordDigest - A SHA-1 digest of the Nonce, Created timestamp, and the password that the user supplies, base64-encoded.

Example X-WSSE HTTP Header

X-WSSE: UsernameToken Username="Melody", PasswordDigest="VfJavTaTy3BhKkeY/WVu9L6cdVA=", Created="2004-01-20T01:09:39Z", Nonce="7c19aeed85b93d35ba42e357f10ca19bf314d622"

Computing the Value for PasswordDigest

To compute the password digest for the WSSE Authentication header use the following algorithm:

base64(sha1(Nonce . Created . Password))

In otherwords, concatenate a randomly generated nonce (which will also be placed in the Nonce attribute), the current timestamp (which will placed in the Created attribute), and the password corresponding to the identity specified in the Username attribute. Then compute a Base64 encoding of the SHA1 hash of that string.

Security Consideration

Using a WSSE Header over an unencrypted connection is not 100% secure and is not recommended. While the password is completely obscured from any prying eyes and cannot be reverse engineered, it is possible that the PasswordDigest could be used in a replay attack. In other words, if a Password Digest is compromised, that digest can be used to gain access to the account it is tied to for as long as the Password Digest is valid, which is typically a very short period.

It is always recommended to connect to Atom services via HTTPS or SSL.

Note to Movable Type Users

In order to authenticate properly to a Movable Type weblog an author must be assigned an “API Password.” This password is used in lieu of the password they use to login to the web application. To set this password, go to the System Dashboard and click the “Authors” link. Then select the user you would like to edit by clicking on their username. Finally, edit the “API Password” property and click “Save Changes.”

Sample Perl Code

Computing a PasswordDigest manually in Perl:

use Digest::SHA1 qw(sha1 sha1<em>hex sha1</em>base64);
use MIME::Base64 qw(encode<em>base64);
my $password = &#8220;mypassword&#8221;;
my $nonce = &#8220;d36e316282959a9ed4c89851497a717f&#8221;;
my $timestamp = &#8220;2003-12-15T14:43:07Z&#8221;;
my $text = $nonce . $timestamp . $password;
my $pwdigest = encode</em>base64(sha1_hex($text));

Atom Authentication using XML::Atom is much simpler. All you have to do is specify your username and password and XML::Atom does the rest:

use XML::Atom::Client;
use XML::Atom::Entry;
my $api = XML::Atom::Client->new;
$api->username(&#8216;Melody&#8217;);
$api->password(&#8216;Nelson&#8217;);

Sample PHP Code

The following shows how to generate a PasswordDigest manually using PHP:

$password = &#8220;mypassword&#8221;;
$nonce = &#8220;d36e316282959a9ed4c89851497a717f&#8221;;
$created = &#8220;2003-12-15T14:43:07Z&#8221;;
$pwdigest = base64_encode(pack(&#8220;H*&#8221;, sha1($nonce . $created .  $password)));

See Also:

Back

Leave a Comment