i'd like to put together a spec for letting users authorize remote
application access without giving away their actual password.
here's a very preliminary idea:
1) remote webapp links to, say, del.icio.us/auth?return=http://
place.to.send.auth.key/
2) user ends up on a page that tells him 'grant access to http://
place.to.send.auth.key for write/read/decline'
3) chooses read or write or whatever and is redirected to http://
place.to.send.auth.key/?user=xyz&key=abc and this is logged to some
del.icio.us database. (or maybe this should be POST)
4) api will accept either password or the auth key
thoughts?
Isn't it just too much of a hassle ? Expiration time for keys, people changing their mind after authorizing a third party site, key poisoning, third party sites holding the keys infinitely, etc. etc.
A very easy way to do this is to let people "white list" the third party sites they trust in their del.icio.us setting page. (same as we do with cookies in the browser)
Then we can just remove that site every time we don't feel it's ok.
Other way is to force third party sites issue a key to the user, users then add the key to their "white list" and API requests from designated third party sites must match the key in user settings.
In both ways, you can cut hours of coding and nursing the process on your side.
--
pwlin
_______________________________________________ discuss mailing list discuss@del.icio.us http://lists.del.icio.us/cgi-bin/mailman/listinfo/discuss
