[Mailman-Developers] Architecture for extra profile info
Richard Wackerbarth
rkw at DATAPLEX.NET
Fri Apr 19 05:09:19 CEST 2013
On Apr 18, 2013, at 8:25 PM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Richard Wackerbarth writes:
>
>> Since we consider the user manager to be a part of the MM complex,
>> what have we gained by hiding the underlying credential from the
>> web interface?
>
> Security. See the OAuth 2.0 spec (RFC 6749) which recommends (at
> SHOULD level) this practice.
RFC 6749 addresses the implementation of an OAuth authorization system.
In this context, SHOULD refers to the implementation of this RFC.
It does not imply that other authorization schemes also need to meet those same criteria.
As for security, exposing the authorization server to direct Internet access is, in itself, a security weak point.
More information about the Mailman-Developers
mailing list