All this Oauth is completely foreign to me - but wanted to chime in on https: Will https will be an option and not a requirement?We are looking at multiple deployments where cost is more a concern than security -- and https will require ponying up 30% more on hosting costs... (this may change in the future)Thanks
On Thursday, April 18, 2013, Robbie MacKay wrote:So I've started on a rough Oauth prototype.. https://github.com/ushahidi/Lamu/tree/oauthI'm using this library to do the bulk of the work: https://github.com/bshaffer/oauth2-server-php but will need to check it actually follows the spec.Aaron: I'm hoping to use implicit grant or user credentials ("Resource Owner Password Credentials") flows for the core app.. which should mean that while theres some Oauth2 stuff happening in the background, the user doesn't see much of it.Any objections to the tech behind it? or just getting the usability right?On Fri, Apr 12, 2013 at 1:23 PM, Robbie MacKay <robbie@...> wrote:actually correcting myself.. I meant "Resource Owner Password Creditials" flow http://tools.ietf.org/html/rfc6749#section-1.3.3On Fri, Apr 12, 2013 at 1:16 PM, Robbie MacKay <robbie@...> wrote:I think the guts of this is that there isn't really a good alternative to Oauth 2, and it probably does the job, so we might have to live with it.2 vs 3 legged is basically a matter of what're you using a it for: 2 legged only authenticates an app, 3 legged authenticates the user and app..I didn't think 3 legged oauth really demanded a full redirect everytime, unless the tokens are expiring far too often. Seems like Feedly might be doing it wrong. They seemed to pull all the data fresh each time, rather than just using OAuth to authenticate a user and grab new data.Looking at different methods and trying to work out what we'd use for what. Its a little different from a lot of use cases since we're using the API for our own app, not just 3rd party ones.Oauth 2 has an option called 'resource owner' where you basically send user/pass to the API and get back a bearer token you use from then. This could work for the official js app, since it avoids any weird redirect and the token is basically just session id in another form. The official mobile apps might also use this method.Other methods might make more sense for other 'external' apps consuming data from an ushahidi install.Watched through this video today https://blog.apigee.com/detail/oauth_20_don_t_throw_the_baby_out_with_the_bathwater_video_slides .. quite long but I'm starting to have a handle on how OAuth 2 works now.On Fri, Apr 12, 2013 at 12:20 PM, Aaron Huslage <huslage@...> wrote:
I'm not a huge fan of three-legged Oauth2. It tends to be unruly to users and makes them think that something is wrong when it is not.For instance, Feedly uses this and it drives me batty to have to think that I'm starting over every time I go to the site...even though I'm not. I know where to go to revoke auth within Google's infrastructure I don't need to be beaten over the head every time I login.On Thu, Apr 11, 2013 at 8:10 PM, David Kobia <david@...> wrote:
Oauth2 just seems so hard to beat -- not many options out there that are as battle tested. Even reading on of the comments - "... The problem I see with OAuth 2 is not that it exists, but that there doesn’t seem to be anything better."Also, does anyone have any thoughts on three legged vs two legged Oauth?On Thu, Apr 11, 2013 at 4:14 PM, Robbie MacKay <robbie@...> wrote:Hey all,I've written up another update on Ushahidi 3.0,