Oauth -- shall we start using this?
Patrick Uiterwijk
puiterwijk at gmail.com
Mon Mar 11 18:29:03 UTC 2013
On 03/11/2013 07:05 PM, Pierre-Yves Chibon wrote:
> Disadvantages:
> * One more application to develop, deploy and maintain, application
> rather sensitive if we want it to work with all the oauth client.
> * One more highly critical application this is will store the API token
> for everyone and thus if broken the attacker can do a whole bunch of
> stuff on a whole bunch of webapp.
> * Implementation are rather specific and one implementation might not
> work with another one.
This is correct, but as long as we specify the variables in the protocol
(like the url's and way to get tokens), and we and all developers using
it stick to this for all Fedora apps, this shouldn't be a problem.
> * It means we have to all agree on this and actually implement it :)
> (which might be the hardest part considering we've not even agreed on a
> framework :-))
Well, I was planning on building a high-level (python) library to make
implementing it for app writers as easy as possible.
>
> Actually, how are the CLI supposed to work if we don't integrate oauth
> with goa?
> The cli spits out an URL that the user should visit?
> But then the oauth server will have to give the user the api login and
> token which the user will have to put somewhere on the system himself,
> which already looses one of the interest of oauth which is that the user
> (normally) doesn't see these information.
CLI could use the "Resource owner password credentials" as well, so it
can do this by itself.
More information about the infrastructure
mailing list