Marlon, In your last paragraph, you mean “Evernote...” and not “Thrift also has…” - correct?
I believe you’re correct in your Thrift over HTTP for Evernote assumption, based on this: http://mail-archives.apache.org/mod_mbox/incubator-thrift-dev/201005.mbox/%[email protected]%3E I actually have a doc to share with your team shortly regarding Evernote/Thrift that we did as part of our (CTSC) engagement with you. And I have some follow-on questions that I’ll contact you about offline. -Randy On Jun 3, 2014, at 2:33 AM, Marlon Pierce <[email protected]> wrote: > This email is intended to introduce some security discussion. > > One of the advantages of Thrift is the ability it will give us to > integrate native-language SDKs with desktop clients. This requires > though that we will need to think through our security model. In the > usual browser-based use case, the user does not make direct calls to the > API. These come instead from the gateway server, and we can establish a > trust relationship (such as SSL mutual authentication). > > For the desktop client case, users make direct calls to the Airavata API > server, so we have three actors: the desktop application, the API > Server, and an auth service. The Auth service performs initial > authentication of the user; it is a service that is gateway-dependent. > Without going into too many details, OAuth is the usual protocol for > doing this. Evernote, in their Thrift API, provides this as an option. > > Evernote (from what I can tell) uses Thrift over HTTP, or at least uses > an HTTP proxy. If we stay with TCP/IP Thrift services in Airavata, > does this mean we need to implement OAuth ourselves? > > Thrift also has a different use case in that they are not a > multi-tenanted service: they own all the accounts that they > authenticate. In contrast, a single Airavata server may support several > unrelated gateways. Each gateway would manage its own user accounts. > > What are the best options for Airavata? > > > Marlon >
