Hey all,

I've written up another update on Ushahidi 3.0, focusing on current progress building the API : http://gh.robbiemackay.com/2013/04/11/api-wrangling/

I'm reposting my thoughts on API authentication here as I'd love more input on this:

This is probably the next major decision. How do we handle API authentication? do we use OAuth? 1.0 or 2.0? Where do we handle actual user login/registration?… the entire app is going to be built on the API.

At the moment I’m leaning towards OAuth 2.0, primarily because its what Swiftriver uses, and consistency between products is important. However OAuth 2.0 has some issues:

the editor for the spec withdrew saying OAuth 2 had failed
there are a few ways to mess up an implementation security wise
and one implementation isn’t guaranteed to be interoperable with another

That said the many almost-oauth APIs out there probably have more, and similar problems: rolling our own is not an option.
OAuth 2 is probably still going to get a lot of use, and there are good resources appearing on how to do it right, and a couple of good oauth2 clients.

One recommendation that stuck out was “If your API can require HTTPS, use OAuth 2.0 with bearer tokens. Otherwise, use OAuth 1.0a”. I need to dig into the details of this, but given deployers won’t always use SSL this is worth considering.

What do you think? preferences for one authentication method or another?

Robbie Mackay

Software Developer, External Projects

Ushahidi Inc

e: robbie@...

skype: robbie.mackay