Raffi Krikorian wrote:
i think this experiment in engaging the community around designing
this security/identity workflow has been definitely a success, and i
feel we're rapidly converging on a solution for identity verification
delegation. in parallel, we're going to start the process to engage
our media providers in the conversation as well, and we're hopeful we
can move this forward quickly.
Could you explain how "OAuth Echo" works with OAuth WRAP/2.0?
Would it be possible for you to skip the OAuth 1.0a version of Echo and
just deploy the WRAP/2.0 version? Otherwise, clients are going to get
stuck with having to implement BOTH versions, as some delegators will
surely implement only the OAuth 1.0a version, while others only
implement the WRAP version. Similarly, delegators will probably feel
pressure to support both versions, as some clients will only implement
one or the other.
xAuth vs. the WRAP username/password profile is not such a big problem
because client implements can just keep using Basic Auth until you
support the WRAP username/password profile, and skip xAuth completely
(unless they need to take advantage of the higher rate limits for xAuth).
in general, we really like WRAP/2.0 because it's just /so/ easy to
implement from the client side. there are no longer questions around
creating the proper signature base string, etc. we're sure that
developers will like it as well. we've started work on an internal
implementation of OAuth WRAP and we envision that we'll simultaneously
support both OAuth 1.0a and WRAP/2.0 for a while. our hope is to get
WRAP out the door soon (and before we finally deprecate basic
authentication).
Thanks,
Brian
