Web applications, thick clients, and authentication

There have been some questions about authentication in web apps and support for thick clients in HealthVault. On this subject, it’s useful to first understand how web applications work so that they can be contrasted to client applications.

                                                                                                                                                                                                                                                        

Web applications

 

When a user goes to the application’s web page, the platform doesn’t know anything about the application or the user.

 

The user logs in using Windows Live ID, and if that user account is authorized to use that application, a credentials token is generated to allow that user account to use that application for a limited period of time.

 

Similarly, the application can authenticate itself to the platform (using a combination of a unique application id and cryptographic verification), and the application will be allowed to talk to the platform for a limited period of time.

 

Once both are authenticated, then the platform will know the application and user account.

There are a lot of details around exactly how this happens that are beyond this scope of this discussion, but that’s the basic scheme.

 

Client applications

 

Client applications present some problems. The trustworthiness of the web application is based upon the privacy of the certificate – as long as the application cert is kept private, the platform knows that the application is who it says it is.

 

A client application is being run on a consumer PC rather than on a server that is typically in a more physically secure environment, which means that both the application id and the application certificate are easily obtained. The result is that a user granting access to a client app would be granting access not just to that app, but to any other app that could convince them to log into HealthVault.

 

To put at another way, with client applications, we can verify what user account is being used, but we can’t verify which application they’re using. Given the importance of maintaining the privacy of health data, that makes us concerned.

 

In the short term, we are considering allowing partners to build client applications that only have write privs – applications could use them to add data to HealthVault, but wouldn’t be able to read any data (an interesting case where write access is less privileged than read access). This would allow developers to write applications such as data importers.

 

In the longer term, it may be possible to construct an application verification that is sufficiently trustworthy to grant access similar to what web applications get.