Dear list, I'm tasked with designing a new developer api for our application. Part of this is coming up with an authentication scheme. I've looked into OAuth, and I would like to know if OAuth is right for me, because it doesn't exactly address the standard OAuth scenario.
To explain our application in a nutshell, we host community sites. The developers accessing our site are not end-users, but businesses licensing our application. These clients currently get an secret token (api key) which gives them unrestricted access to all data and users within their application. This API access needs to be secure, but does not require explicit permission by the end-users (or even implicit ;) they can just do whatever they want..). For this scenario, would it make sense to use OAuth? How would OAuth work if there is no end-user to allow permission? The second scenario is a bit more involved. Sometimes we'd like the end-user to make requests to the API through their browser. In this scenario we use the following setup: * Consumer makes authenticated API request to a 'user.getSessionToken' service along with an 'end-user-id'. * The API returns a unique token (which expires after 24h) * The Consumer returns the unique token to the browser. * The browser makes requests to the api, and the api knows based on the session token if the user was allowed to perform the request. I hope my question makes sense. If OAuth is not the best tool for this job, are there other technologies or best practices I should consider, or would this explained scenario suffice? Thanks very much for reading this far :) Evert --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
