Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #22231

Re: OAuth 2.0 implementation

From Demian Brecht <demianbrecht@gmail.com>
Newsgroups comp.lang.python
Subject Re: OAuth 2.0 implementation
Date 2012-03-26 22:30 -0700
Organization http://groups.google.com
Message-ID <7909491.0.1332826232743.JavaMail.geo-discussion-forums@pbim5> (permalink)
References (1 earlier) <87haxahh51.fsf@benfinney.id.au> <roy-E4EA5A.23301726032012@news.panix.com> <878vimhfdp.fsf@benfinney.id.au> <roy-2E9CB1.23571326032012@news.panix.com> <87zkb2fz7g.fsf@benfinney.id.au>

Show all headers | View raw

On Monday, 26 March 2012 21:24:35 UTC-7, Ben Finney  wrote:
> Roy Smith <roy@panix.com> writes:
> 
> > In article <878vimhfdp.fsf@benfinney.id.au>,
> >  Ben Finney <ben+python@benfinney.id.au> wrote:
> > > So, if I want to be free to choose an identity provider I trust, and
> > > it's not Facebook or Google or Twitter or other privacy-hostile
> > > services, how does OAuth help me do that?
> >
> > It doesn't.  Well, in theory, it could, but in practice everybody's 
> > OAuth implementation is different enough that they don't interoperate.
> 
> Thanks. So OAuth is a pseudo-standard that is implemented incompatibly
> to the extent that it doesn't actually give users the freedom to migrate
> their existing data and identity at will to any other OAuth implementor?
> 
> -- 
>  \         “Money is always to be found when men are to be sent to the |
>   `\   frontiers to be destroyed: when the object is to preserve them, |
> _o__)     it is no longer so.” —Voltaire, _Dictionnaire Philosophique_ |
> Ben Finney

OAuth 2.0 is the emerging standard (now passed on to IETF) to deal with providing access to protected resources. OpenID is a standard used to deal with authentication. While there is some overlap (OAuth can be used for authentication as well), the goals of the two protocols are different.

OAuth 2.0 is still in draft status (draft 25 is the current one I believe) and yes, unfortunately every single server available at this point have varying degrees of separation from the actual spec. It's not a pseudo-standard, it's just not observed to the letter. Google is the closest and Facebook seems to be the farthest away (Stack Exchange is in close second due to building theirs to work like Facebook's). That was pretty much how this work was born. I wanted to be able to implement authentication and resource access over multiple providers with a single code base.

So, in answer to your questions:

1) If you're only looking for a solution to authentication, OAuth is no better than OpenID. Having said that, with the apparent popularity of OAuth 2.0, more providers may support OAuth than will OpenID (however, that's just my assumption).

2) OAuth is all about centralized services in that it is how providers allow access to protected resources. Whether it's a social network or SaaS (such as Harvest: http://www.getharvest.com/), if there isn't exposure to protected resources, then OAuth becomes pointless.

3) If you're looking to implement OAuth authentication with a provider that you trust, grab the sanction source, implement said provider and send a pull request ;)

4) Data migration doesn't happen with OAuth. As the intent is to allow access to protected resources, migrating Google to say, Facebook just wouldn't happen :)

Hope that makes sense and answers your questions.
- Demian

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-03-26 19:42 -0700
  Re: OAuth 2.0 implementation Ben Finney <ben+python@benfinney.id.au> - 2012-03-27 14:11 +1100
    Re: OAuth 2.0 implementation Roy Smith <roy@panix.com> - 2012-03-26 23:30 -0400
      Re: OAuth 2.0 implementation Ben Finney <ben+python@benfinney.id.au> - 2012-03-27 14:49 +1100
        Re: OAuth 2.0 implementation Roy Smith <roy@panix.com> - 2012-03-26 23:57 -0400
          Re: OAuth 2.0 implementation Ben Finney <ben+python@benfinney.id.au> - 2012-03-27 15:24 +1100
            Re: OAuth 2.0 implementation Jack Diederich <jackdied@gmail.com> - 2012-03-27 01:24 -0400
            Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-03-26 22:30 -0700
              Re: OAuth 2.0 implementation Roy Smith <roy@panix.com> - 2012-03-27 10:18 -0400
                Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-03-27 10:54 -0700
                Re: OAuth 2.0 implementation Mark Hammond <skippy.hammond@gmail.com> - 2012-03-28 14:42 +1100
    Re: OAuth 2.0 implementation Stuart Bishop <stuart@stuartbishop.net> - 2012-03-27 16:59 +0700
    Socket Error : Address still in use  (Conveting from python 1.5.2 to 2.7.1) Wong Wah Meng-R32813 <r32813@freescale.com> - 2012-03-27 09:41 +0000
    Re: OAuth 2.0 implementation Roland Hedberg <roland@catalogix.se> - 2012-03-27 15:36 +0200
  Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-07-05 07:06 -0700
    Re: OAuth 2.0 implementation Alec Taylor <alec.taylor6@gmail.com> - 2012-07-06 01:19 +1000
      Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-07-05 10:48 -0700
      Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-07-05 10:48 -0700
        Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-07-06 08:38 -0700
        Re: OAuth 2.0 implementation Demian Brecht <demianbrecht@gmail.com> - 2012-07-06 08:38 -0700
          Re: OAuth 2.0 implementation Alec Taylor <alec.taylor6@gmail.com> - 2012-07-07 04:41 +1000
          RE: OAuth 2.0 implementation "Demian Brecht" <demianbrecht@gmail.com> - 2012-07-06 11:49 -0700
          Re: OAuth 2.0 implementation Alec Taylor <alec.taylor6@gmail.com> - 2012-07-07 04:58 +1000

csiph-web