On Mon, Sep 20, 2010 at 9:20 PM, stuart yeates <[log in to unmask]> wrote:
> I don't know much about security. From the looks of the discussions here I'm
> not sure I want to.
>
Stuart, admittedly, I'm in much the same boat.
> What I do know is that I can put stuff behind httpd's authentication modules
> and outsource that complexity to people who appear to know what they're
> taking about.
>
This depends a lot on which end of the equation you happen to be sitting at.
If you are both the client and the server and happen to be the one
responsible for user credentials, you're set.
Where this runs aground is if any of those above statements are not
true. Consider something like using a hosted client application (such
as Summon):
should you really trust Serials Solution (and I'm not targeting them
specifically, substitute Serials Solutions with Talis -- my employer
--, EBSCO, Ex Libris or anybody) with your users' credentials?
Using mod_auth_* would require a user typing their username and
password into a form supplied by a 3rd party who you *hope* won't do
anything nefarious (or, more likely, incompetent) with them.
The way OAuth deals with this is not incredibly different than how
single sign ons currently work, the major difference is that SSOs (and
authentication in general) only broadcast identity, it has nothing to
do with permissions (except at a purely binary level).
When you start working at this more granular, permission-based level,
it starts to make more sense even for local, more trusted apps. Do
they really need access to everything? Would the ability to grant
more targeted permissions to specific applications provide more
integration opportunities that aren't available when you need absolute
trust between between both nodes?
> Is there a way I can use OAuth with httpd's authentication modules? Google
> shows some preliminary rumblings about a mod_auth_oauth, but nothing recent.
> Is there some fundamental reason OAuth is incompatible with the tried and
> true mod_auth_* approach?
>
To be clear, OAuth is technically authorization, not authentication
(it can provide authentication, but that can be handled however
locally -- it's not a requirement, basically). It is not necessarily
incompatible with mod_auth_*. You could use mod_auth_basic or
mod_auth_digest or mod_auth_ldap or something to authenticate and a
some kind of web form to let the user grant authorization of services.
-Ross.
|