On Mon, Feb 2, 2009 at 6:57 PM, Perryn Fowler <[email protected]> wrote: > I am currently working on a project to expose a developer api to our > systems. The vision is for this to be a RESTful interface > where we exchange payloads of XML. For some operations, the payload > would be passed in a post body.
Neat. > a) It would appear then that oAuth is unsuitable for this type of > undertaking? I am a bit surprised as I would have thought it would be > a common use case - Is there a reason why this was explicitly not > supported? Several. First its a mistake assuming that if something isn't explicitly mentioned in the OAuth specification then it is either impossible or forbidden, the truth is if it isn't mentioned as forbidden you should feel free to invent a way to do it. But I hear the desire to use a standardized method, after all thats why one uses a standard. Body hashes for binary payloads are actually pretty straightforward. But I'm interested to hear how you're going to normalize the XML to make sure the representation is unambiguous for generation a signature. Additionally I raised some concerns about the ability of mobile devices to generate hashes for large blobs of data based on our experience working with signed AtomPub on Symbian devices for uploading photos. Lastly, it fell into the "inventing something new" which we were trying to avoid doing in the Core. > b) Is anyone out there doing this type of thing? Have you extended > oAuth to do it? If not, what are you using? Eran linked to the current proposed extension which has the advantage of being straightforward. You'll have to figure out if it works for your XML documents use case. I'm still futzing with how I want to do body signatures for uploads to Flickr, though its less of a concern to us then it is to an API like you describe. The two most popular options are currently define your own specific normalizing/signing method for your endpoint (not too arduous), or use the one Eran linked to. -kellan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
