 |
 |
MJ Ray wrote: > > What is the use case? http://oauth.net/core/1.0a/ claimed "OAuth > creates a freely-implementable and generic methodology for API > authentication." Shouldn't we expect generic authentication to > include authenticating both peers? > OAuth, as I understand it, is about confirming that (eg) Jonathan Rochkind has given authorization to Software A, to access API services that read and write to confidential information associated with Jonathan Rochkind's account on Server B. Server B can be sure that Jonathan Rochkind authorized Software A to do that. (Or someone that knew Jonathan Rochkind's secret password did, anyway). And additionally can let Jonathan Rochkind specify to Server B exactly _which_ services he'd like to authorize Software A to use, not just all or nothing. Which happens to be the problem case that ILS api stuff finds itself dealing with. I am fairly certain there is _no_ protocol that will allow you to securely prove that a piece of software on the network is really a trusted _copy_ of software, when copies of that software are distributed to untrusted users. It is not a solvable problem. I guess if OAuth documentation implies they solve it, you can fault them for implying it, but you can't fault them for not doing it. I am positive you will be able to find no protocol anywhere that does that. If you need that, then OAuth will work as well as anything else you can find -- that is, it won't work, and neither will anything else. Jonathan