[Python-Dev] Offtopic: OpenID Providers

Toshio Kuratomi a.badger at gmail.com
Thu Sep 5 21:15:30 CEST 2013

On Thu, Sep 05, 2013 at 02:53:43PM -0400, Barry Warsaw wrote:
> This probably isn't the only application of these technologies, but I've
> always thought about OAuth as delegating authority to scripts and programs to
> act on your behalf.  For example, you can write a script to interact with
> Launchpad's REST API, but before you can use the script, you have to interact
> with the web ui once (since your browser is trusted, presumably) to receive a
> token which the script can then use to prove that it's acting on your behalf.
> If at some point you stop trusting that script, you can revoke the token to
> disable its access, without having to reset your password.
> To me, OpenID is about logging into web sites using single-sign on.  For
> example, once I've logged into Launchpad, I can essentially go anywhere that
> accepts OpenID, type my OpenID and generally not have to log in again (things
> like two-factor auth and such may change that interaction pattern).
> Or to summarize to a rough approximation: OpenID is for logins, OAuth is for
> scripts.
> Persona seems to fit the OpenID use case.  You'd still want OAuth for
> scripting.
<nod>  However, in some cases, Persona/OpenID can make more sense for
scripts.  For instance, if you have a script that is primarily interactive
in nature, it may be better to have the user login via that script than to
have an OAuth token laying around on the filesystem all the time
(Contrariwise, if the script is primarily run from cron or similar, it's
better to have a token with limited permissions laying around on the
filesystem than your OpenID password ;-)

It's probably also useful to point out that OAuth (because it was developed
to let third party websites have limited permission to act on your behalf)
is more paranoid than strictly required for many scripts where that
"third-party" is a script that you've written running on a box that you
control.  If that's the main use case for your service, OAuth may not be
a good fit for your authz needs.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130905/b8ea2fbb/attachment.sig>

More information about the Python-Dev mailing list