Hi Manish, hi everyone,

2013/4/10 Manish Gill <mgill25@outlook.com>:

For the GSoC REST API project, I've been wondering about how authentication would work.

OAuth is a way to go if we want authenticated/signed requests. I have a few questions regarding that.

• Will Mailman core become an OAuth provider, with Postorius/API being the consumers?

Probably not the core itself, but possibly another yet-to-be-written application that Postorius, Hyperkitty and other clients could use. We had a long discussion on this list whether to build a central application to store user data that can be accessed by the different Mailman-related applications. While we haven't decided yet whether or how to proceed, this would possibly be the right context for that.

• If the answer to the above is no, is the plan to support populer OAuth providers like Facebook/Twitter ?

Like we discussed on IRC earlier, it would be nice if a site running Mailman could act as an oAuth provider. Especially since the thought of a FLOSS mailing list manager requiring an account with a commercial oAuth service provider to use its API might seem a little odd. But implementing both the provider as well as the client is probably way beyond the scope of this GSoC project. Especially since authentication is only one aspect of it.

(If not, can you guys please explain how would the authentication protocol really work?)

• Since Postorius is already using Mozilla Persona, can that also be used to provide authentication to API clients?

Probably not Persona, which is meant to be used in the context of a browser.

But are we sure oAuth is our only option in an API context? Are there other opinions?

• Am I over-thinking this? :)

I don't think so. It's not exactly obvious.

BTW, the oauthlib documentation has a nice overview over the different oAuth workflows [1].

Florian

[1] https://oauthlib.readthedocs.org/en/latest/oauth_1_versus_oauth_2.html