I need to authenticate securely to a third party site for a SSL REST api call. I have the API call part working but I want to save the third party credentials in my app engine datastore, or maybe somewhere else? I have no idea how im supposed to do this.
The SSL call looks like:
credentials = base64.encodestring('%s:%s' % (username, password))[:-1]
request = urllib2.Request(accounts_url)
request.add_header("User-Agent", user_agent)
request.add_header("Authorization", "Basic %s" % credentials)
stream = urllib2.urlopen(request)
response = stream.read()
stream.close()
which means my app unfortunately needs to know the plaintext password. It doesn't make sense to me to AES encrypt it (not a hash--reversible) because the decryption key would need to be known by my app also so if my app is compromised no real security over storing plaintext was added.
I think the most secure strategy here is to punt to the client. Use GAE to serve as a proxy for what would otherwise be a cross domain request from the client. I'm assuming the third party host has some sort of token or session cookie that you could intercept on the way back.
Storing plain text passwords is scary.