Example. I have applications that need to access an API that provides an authentication token.
myApi = MyApi(token=my_private_sensible_token)
I want to avoid using this private token in the configuration file, which is part of the project.
One solution that comes to mind is to isolate interactions with this service in a separate proxy application, which is supported by a limited number of authorized users. The App-engine allows you to protect handlers with authentication, and I could easily, in a proxy, only allow calls coming from an authorized consumer application.
Various solutions that I can think of at some point make this private token available in the memory of the consumer application, this may allow a malicious user (who supports the consumer) to write a handler that prints this secret token, which in some that the application has extracted.
Do you have the best deals?
source
share