The whole problem arises because we need to authenticate the client. In mutual authentication, you need to setup the server as well to support each and every client.( by adding certificates manually). But scalability can be an issue here?
In terms of having a public API, Google, Evernote and Amazon web services uses OAuth 2.0 to authenticate the client. And Evernote is using Thrift as well. I thought in terms of the SciGap perspective ( it can also support the current use case scenarios). But as you mentioned, it can make things more complicated. ( Since whoever is using the thrift client would have to program to use the Oauth) For learning purposes : In terms of the operation, doesn't these two do the same thing? ( Oauth coupled with server public key authentication vs mutual authentication using certificates) ( apart from the fact that OAuth supports delegation ?) User is delegating the thrift client to use the server right? On Mon, Feb 17, 2014 at 11:01 AM, Amila Jayasekara <[email protected]>wrote: > On Mon, Feb 17, 2014 at 10:36 AM, Sachith Withana <[email protected] > >wrote: > > > Hi all, > > > > We are exploring the options on securing the Thrift API. > > > > Our objective is to authenticate the server and authorize the client. > > > > What do you mean by authorizing client ? > > > > > The options we are exploring are > > > > 1. mutual authentication using client and server certificates > > > > This seems to be a good fit according to my understanding. > > > > > > 2. Use the server certificate to setup a SSL communication and use OAuth > > 1or 2 for the client Authorization > > > > I dont see a requirement for doing this. Usually we use OAuth when we need > delegation. I am not clear how a delegation model fits here. Also it make > things complicated. > > Thanks > Amila > > > > > > Any suggestions on this matter are highly appreciated! > > > > -- > > Thanks, > > Sachith Withana > > > -- Thanks, Sachith Withana
