Re: [Mailman-Developers] Regarding Authentication of REST API
Hi Manish, hi everyone,
2013/4/10 Manish Gill <mgill25@outlook.com>:
For the GSoC REST API project, I've been wondering about how authentication would work.
OAuth is a way to go if we want authenticated/signed requests. I have a few questions regarding that.
- Will Mailman core become an OAuth provider, with Postorius/API being the consumers? Probably not the core itself, but possibly another yet-to-be-written application that Postorius, Hyperkitty and other clients could use. We had a long discussion on this list whether to build a central application to store user data that can be accessed by the different Mailman-related applications. While we haven't decided yet whether or how to proceed, this would possibly be the right context for that. That makes sense.
- If the answer to the above is no, is the plan to support populer OAuth providers like Facebook/Twitter ? Like we discussed on IRC earlier, it would be nice if a site running Mailman could act as an oAuth provider. Especially since the thought of a FLOSS mailing list manager requiring an account with a commercial oAuth service provider to use its API might seem a little odd. But implementing both the provider as well as the client is probably way beyond the scope of this GSoC project. Especially since authentication is only one aspect of it. Indeed! This could be made easy if we don't have to take care of the
On 04/17/2013 02:43 AM, Florian Fuchs wrote: provider implementation ourselves, like we discussed. If a third party library exists that could be used to provide this functionality, it would make things much easier. :)
(If not, can you guys please explain how would the authentication protocol really work?)
- Since Postorius is already using Mozilla Persona, can that also be used to provide authentication to API clients? Probably not Persona, which is meant to be used in the context of a browser.
But are we sure oAuth is our only option in an API context? Are there other opinions? Hmm. I don't know much about it. I looked at Tastypie, and it provides HTTP Basic Auth [1]. Much simpler, but probably much less secure as well.
[1] http://django-tastypie.readthedocs.org/en/latest/authentication.html
BTW, the oauthlib documentation has a nice overview over the different oAuth workflows [1].
Florian
[1] https://oauthlib.readthedocs.org/en/latest/oauth_1_versus_oauth_2.html
Cool! :)
--
Manish Gill Naeblis on Freenode @mgill25 on Twitter/Github
participants (1)
-
Manish Gill