> > 3. What other models of distributed auth do you think we could learn > > from and what specifically about them? > > I am happy to see username/password Basic Auth go away, but I would be > sad to see all methods of Basic Auth unavailable. Lots of other APIs > have "api keys" that users can use to allow access to an api on their > behalf (FriendFeed, Prowl, TweetHook, and some others come to mind > immediately). Each user gets an API Key which allows manipulation of > some aspects of their accounts, but as much as knowing the actual > account password combo. This has a couple of advantages of Basic Auth > and OAuth: > > a) If an app starts acting up, the user can revoke/change their > account API key and just update the services that are still relevant > to them to continue working. This isn't quite as nice as "per app" > revokation that OAuth provides, but less "painful" from a user > point-of-view as changing their account login password. > > b) Basic Auth is still possible. This means that simple use-cases like > command-line curls, cron jobs, embedded systems, web-browser-less > systems, etc can still interact with the API without having to jump > through the OAuth hoops. > > I would suggest that "API Key Auth" should be required to use HTTPS > and disable HTTP access.
+1. -- ------------------------------------ personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * [email protected] -- Po-Ching Lives! ------------------------------------------------------------
