On 20-May-09, at 2:31 AM, John Panzer wrote: > On Tue, May 19, 2009 at 6:01 PM, Evert Pot <[email protected]> wrote: > > Dear list, > > I'm tasked with designing a new developer api for our application. > Part of this is coming up with an authentication scheme. I've looked > into OAuth, and I would like to know if OAuth is right for me, because > it doesn't exactly address the standard OAuth scenario. > > To explain our application in a nutshell, we host community sites. The > developers accessing our site are not end-users, but businesses > licensing our application. These clients currently get an secret token > (api key) which gives them unrestricted access to all data and users > within their application. > > This API access needs to be secure, but does not require explicit > permission by the end-users (or even implicit ;) they can just do > whatever they want..). > > For this scenario, would it make sense to use OAuth? How would OAuth > work if there is no end-user to allow permission? > > Yep, this is the so-called "two legged" scenario, with an empty > access token and secret (just a Consumer Key and secret). It works > fine.
Thanks for the concise answer :). I have a followup question though. If my consumers would like to make API requests straight from a browser, would I still be able to employ OAuth for such a scenario. In this case consumer trust is still implied, but the scope of the end- user making the request is limited. Basically I would like consumers to be able to write applications that make cross-domain javascript requests to the api on behalf of the user. End-users should not be able to use the authentication information to make trusted request on behalf of the consumer. I hope my question is clear, there's a lot of moving parts which makes it a bit difficult to describe this scenario. And besides if OAuth would work for me, I'm also just curious if it's really the best tool for the job. Thanks, Evert --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
