And of course, by "whole" I meant "hole" :-) On Sat, Apr 9, 2011 at 8:37 PM, Ethan Jewett <[email protected]> wrote:
> Well, OAuth 2 vs. OAuth 1.0a are just different specs. OAuth 2 is based on > 1.0a and is simplified. When we get started on this feature I guess it's a > discussion we should have as to which version to use. The comment on the > Lift list about the implementation of OAuth 1.0 and not 1.0a doesn't fill me > with confidence for that implementation. OAuth 1.0 has a major security > whole that version 1.0a fixes. > > How do you like the Streamwork API? That is the simpler bearer-token or > PLAINTEXT version of OAuth. Has anyone tried a version with MAC signatures? > Any thoughts on usability versus other APIs? > > Ethan > > > On Sat, Apr 9, 2011 at 10:39 AM, Richard Hirsch <[email protected]>wrote: > >> On Sat, Apr 9, 2011 at 10:36 AM, Ethan Jewett <[email protected]> wrote: >> > Using it as an authentication mechanism for our API? >> Yep >> >> >I'd like to do >> > this but it probably means a fair amount of work. I'd also think we >> > should consider doing OAuth 2 at this point. >> >> Why OAuth ? What are the differences? >> >> > I don't think it should >> > be part of 1.3. It will probably take too long. >> >> Agree about it not being in 1.3. Thinking 1.4 >> >> D. >> > >> > Ethan >> > >> > On Saturday, April 9, 2011, Richard Hirsch <[email protected]> >> wrote: >> >> I'm been folllowing the OAuth discussion in Lift : >> >> >> http://groups.google.com/group/liftweb/browse_thread/thread/b511bbc1a37d4166/98b1f654763b355a?show_docid=98b1f654763b355a >> >> >> >> When things get straightened out and the code is included in their >> >> code base, we should probably think about using OAuth in ESME. >> >> >> >> Don't know whether we want to wait for 2.4 though, since it might be a >> >> while before it is released. >> >> >> >> Thoughts? >> >> >> >> D. >> >> >> > >> > >
