On 03/11/2013 07:05 PM, Pierre-Yves Chibon wrote:
Disadvantages:
* One more application to develop, deploy and maintain, application
rather sensitive if we want it to work with all the oauth client.
* One more highly critical application this is will store the API token
for everyone and thus if broken the attacker can do a whole bunch of
stuff on a whole bunch of webapp.
* Implementation are rather specific and one implementation might not
work with another one.
This is correct, but as long as we specify the variables in
the protocol
(like the url's and way to get tokens), and we and all developers using
it stick to this for all Fedora apps, this shouldn't be a problem.
* It means we have to all agree on this and actually implement it :)
(which might be the hardest part considering we've not even agreed on a
framework :-))
Well, I was planning on building a high-level (python) library to
make
implementing it for app writers as easy as possible.
Actually, how are the CLI supposed to work if we don't integrate oauth
with goa?
The cli spits out an URL that the user should visit?
But then the oauth server will have to give the user the api login and
token which the user will have to put somewhere on the system himself,
which already looses one of the interest of oauth which is that the user
(normally) doesn't see these information.
CLI could use the "Resource
owner password credentials" as well, so it
can do this by itself.