Shak wrote:
Hi all,
I'm about to start working on incorporating OAuth in a project I'm
working on. I'll be a resource server, and will therefore have to
issue and manage tokens etc.
My question is regarding OAuth 2. Should I look to support the new
spec? I realise that it's a draft and in flux etc, but I'm wondering
with regards to this new project whether it's better to jump straight
into 2 now, or use 1a with the intention of moving to 2 later on - I
understand that the two are not compatible, but is it possible to run
both in parallel? Perhaps even by using the same tokens?
I know that this is a very subjective question to ask, but any
thoughts or advice would be appreciated.
While you would also need to consider the company's view on stability,
when you expect to go live with the project, the API in question, the
targeted developers of the API, and how much control you have over both
of them, I personally would just release with OAuth 1.0a, but ready to
also release 2.0 when its stable. This will let your targeted developers
work against a stable spec with mature code libraries available and
alleviate the risk of requiring change on your side to support any
changes as OAuth 2 evolves. The fact of the matter is that 2.0 is still
just a draft where nothing is set in stone, so your mileage will vary.
Once you are ready to release a 2.0 version, you could then run them in
parallel, which would give time for people to migrate their client
applications from 1.0a to 2.0. Personally I wouldn't tie them both to
the same access token or at least require authentication within each of
the OAuth version flows before the token is active within the context of
said version.
Rob
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
