> > 3. What other models of distributed auth do you think we could learn
> > from and what specifically about them?
> 
> I am happy to see username/password Basic Auth go away, but I would be
> sad to see all methods of Basic Auth unavailable. Lots of other APIs
> have "api keys" that users can use to allow access to an api on their
> behalf (FriendFeed, Prowl, TweetHook, and some others come to mind
> immediately). Each user gets an API Key which allows manipulation of
> some aspects of their accounts, but as much as knowing the actual
> account password combo.  This has a couple of advantages of Basic Auth
> and OAuth:
> 
> a) If an app starts acting up, the user can revoke/change their
> account API key and just update the services that are still relevant
> to them to continue working. This isn't quite as nice as "per app"
> revokation that OAuth provides, but less "painful" from a user
> point-of-view as changing their account login password.
> 
> b) Basic Auth is still possible. This means that simple use-cases like
> command-line curls, cron jobs, embedded systems, web-browser-less
> systems, etc can still interact with the API without having to jump
> through the OAuth hoops.
> 
> I would suggest that "API Key Auth" should be required to use HTTPS
> and disable HTTP access.

+1.

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- Po-Ching Lives! ------------------------------------------------------------

Reply via email to