Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse SmartHome » Advice on how to handle application key
Advice on how to handle application key [message #1800161] Thu, 20 December 2018 16:47 Go to next message
Mark Hilbush is currently offline Mark HilbushFriend
Messages: 4
Registered: November 2018
Junior Member
I'm working on a binding for receiving personal weather station (PWS) data from ambientweather.net, an online service provided by Ambient Weather for hosting PWS data, as well as allowing access to that data through an API.

Use of the Ambient Weather API requires two keys. It requires:
- an Application key, provided to the developer of the application (i.e. me) by Ambient Weather, and
- an API key, provided to the end user by Ambient Weather.

I've looked around for other bindings that have a similar multiple-key model, but I've not found any.

I currently have the Application and API keys defined as configuration parameters on the bridge Thing. The Application key config parameter is defaulted to the key provided to me by Ambient Weather.

I'm interested in getting some advice on whether I should handle the Application key differently. Here are sone things I've considered:
- The Application and API keys are system-generated, relatively long, and not easily guessed.
- However, being open source, the Application key in the repo is visible to anyone.
- Other than the temporary inconvenience to users of my binding, there's no real downside to the Application key being disabled due to abuse.
- The likelihood of abuse is relatively low, given the Application key is not a high-value target. It's also not of any use without an API key.

I've considered a simple obfuscation of the key in the source code, populating the Application key config parameter only at binding initialization time. Obviously, this would not deter someone who's intent on getting the key (which is likely no one). Any protection of the key beyond a simple obfuscation seems like overkill to me.

Are there any other approaches I'm missing?

Am I overthinking this?
Re: Advice on how to handle application key [message #1800170 is a reply to message #1800161] Thu, 20 December 2018 19:51 Go to previous messageGo to next message
John Cocula is currently offline John CoculaFriend
Messages: 21
Registered: June 2015
Junior Member
Open source code should not contain obfuscation, or embedded secrets that are assigned to private entities (IMHO). This existed with the openHAB Twitter action and ended up being a problem that led to downtime outside the control of the user, when for various reasons the API key became invalid. You could argue that the key should never have been embedded in the code, even as a default fallback, since the validity of the key is outside the control of the end user.

I had an analogous issue with an Ecobee integration for the Vera smart home controller, where there was no strict open source license model, and the possibility existed to ship a built, encrypted component that contained my secret API key. Since this allowed much simpler deployment of the integration without risk of revealing the secret developer API key, I opted for that route with no issues. By contrast, there was no reasonable or practical approach for my Ecobee binding for openHAB, so the configuration required the user of the binding to become a "developer" for the purpose of obtaining his or her own private API key. In the end, it was just a few more steps and it never presented a problem that I was aware of.

If your API provider has a more burdensome process to become a "developer," explain to them that their assumption about your being able to obscure your own private API key is impractical in the open source model, and try to encourage them to allow any openHAB user to easily enough become a developer for the purpose of obtaining the necessary keys.
Re: Advice on how to handle application key [message #1800171 is a reply to message #1800170] Thu, 20 December 2018 20:32 Go to previous messageGo to next message
Kai Kreuzer is currently offline Kai KreuzerFriend
Messages: 673
Registered: December 2011
Senior Member
I fully agree with John - application keys do not belong in the repo and as a result, every user has to request their own one from the service (thus claiming to be a developer). If this is a hassle, the only way out is trying to convince the service operators that their model is blocking open source integrations, which should be reconsidered.
Re: Advice on how to handle application key [message #1800172 is a reply to message #1800171] Thu, 20 December 2018 20:39 Go to previous message
Mark Hilbush is currently offline Mark HilbushFriend
Messages: 4
Registered: November 2018
Junior Member
Thanks, guys. I'll see what the service provider has to say about assigning an app key to each user.
Previous Topic:Testing HTTP authentication & authorization
Next Topic:SOLVED: Created binding but no Supported Things exist in Paper UI
Goto Forum:
  


Current Time: Sun Feb 23 14:48:37 GMT 2020

Powered by FUDForum. Page generated in 0.02090 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top