Oauth2 just seems so hard to beat -- not many options out there that are as battle tested. Even reading on of the comments - "... The problem I see with OAuth 2 is not that it exists, but that there doesn’t seem to be anything better."Also, does anyone have any thoughts on three legged vs two legged Oauth?On Thu, Apr 11, 2013 at 4:14 PM, Robbie MacKay <robbie@...> wrote:Hey all,I've written up another update on Ushahidi 3.0, focusing on current progress building the API : http://gh.robbiemackay.com/2013/04/11/api-wrangling/I'm reposting my thoughts on API authentication here as I'd love more input on this:This is probably the next major decision. How do we handle API authentication? do we use OAuth? 1.0 or 2.0? Where do we handle actual user login/registration?… the entire app is going to be built on the API.
At the moment I’m leaning towards OAuth 2.0, primarily because its what Swiftriver uses, and consistency between products is important. However OAuth 2.0 has some issues:
That said the many almost-oauth APIs out there probably have more, and similar problems: rolling our own is not an option.
OAuth 2 is probably still going to get a lot of use, and there are good resources appearing on how to do it right, and a couple of good oauth2 clients.
One recommendation that stuck out was “If your API can require HTTPS, use OAuth 2.0 with bearer tokens. Otherwise, use OAuth 1.0a”. I need to dig into the details of this, but given deployers won’t always use SSL this is worth considering.
What do you think? preferences for one authentication method or another?--Robbie Mackay