On 04/17/2013 02:43 AM, Florian Fuchs wrote: > Hi Manish, hi everyone, > > 2013/4/10 Manish Gill <[email protected]>: >> For the GSoC REST API project, I've been wondering about how >> authentication would work. >> >> OAuth is a way to go if we want authenticated/signed requests. I have a >> few questions regarding that. >> >> - Will Mailman core become an OAuth provider, with Postorius/API being >> the consumers? > Probably not the core itself, but possibly another yet-to-be-written > application that Postorius, Hyperkitty and other clients could use. We > had a long discussion on this list whether to build a central > application to store user data that can be accessed by the different > Mailman-related applications. While we haven't decided yet whether or > how to proceed, this would possibly be the right context for that. That makes sense. > >> - If the answer to the above is no, is the plan to support populer OAuth >> providers like Facebook/Twitter ? > Like we discussed on IRC earlier, it would be nice if a site running > Mailman could act as an oAuth provider. Especially since the thought > of a FLOSS mailing list manager requiring an account with a commercial > oAuth service provider to use its API might seem a little odd. But > implementing both the provider as well as the client is probably way > beyond the scope of this GSoC project. Especially since authentication > is only one aspect of it. Indeed! This could be made easy if we don't have to take care of the provider implementation ourselves, like we discussed. If a third party library exists that could be used to provide this functionality, it would make things much easier. :) >> (If not, can you guys please explain how would the authentication >> protocol really work?) >> >> - Since Postorius is already using Mozilla Persona, can that also be >> used to provide authentication to API clients? > Probably not Persona, which is meant to be used in the context of a browser. > > But are we sure oAuth is our only option in an API context? Are there > other opinions? Hmm. I don't know much about it. I looked at Tastypie, and it provides HTTP Basic Auth [1]. Much simpler, but probably much less secure as well.
[1] http://django-tastypie.readthedocs.org/en/latest/authentication.html > BTW, the oauthlib documentation has a nice overview over the different > oAuth workflows [1]. > > > Florian > > [1] https://oauthlib.readthedocs.org/en/latest/oauth_1_versus_oauth_2.html > > Cool! :) -- - Manish Gill Naeblis on Freenode @mgill25 on Twitter/Github _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
