Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <stuart@stuartbishop.net>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.092
X-Spam-Evidence: '*H*': 0.82; '*S*': 0.00; 'bishop': 0.09; 'openid': 0.09; 'received:mail-lpp01m010-f46.google.com': 0.09; 'cc:addr :python-list': 0.15; 'behalf,': 0.16; 'better?': 0.16; 'finney': 0.16; 'keys,': 0.16; 'openid,': 0.16; 'stuart': 0.16; 'url:github': 0.16; 'wrote:': 0.21; 'alpha': 0.22; 'password.': 0.22; 'providers': 0.22; 'header:In-Reply-To:1': 0.22; 'received:209.85.215.46': 0.23; 'work.': 0.25; 'cc:no real name:2**0': 0.26; 'message-id:@mail.gmail.com': 0.27; 'cc:addr:python.org': 0.27; 'allows': 0.29; '27,': 0.29; 'subject:skip:i 10': 0.29; 'cc:2**0': 0.31; 'maybe': 0.31; 'received:209.85': 0.32; 'gets': 0.32; 'received:google.com': 0.32; 'operations': 0.32; 'perform': 0.32; 'received:209.85.215': 0.34; 'received:209': 0.35; 'ben': 0.35; 'writes:': 0.35; 'really': 0.36; "i'm": 0.36; 'why': 0.36; '(for': 0.36; 'but': 0.36; 'thank': 0.37; 'some': 0.37; 'client': 0.38; 'someone': 0.38; 'proto:https': 0.39; 'address.': 0.39; 'uses': 0.39; 'being': 0.39; 'doing': 0.39; "can't": 0.39; 'allow': 0.39; 'act': 0.60; 'your': 0.60; 'close': 0.61; 'mar': 0.61; 'claim': 0.61; 'interactive': 0.61; 'such': 0.61; 'site': 0.62; 'provide': 0.62; 'real': 0.63; 'account': 0.65; 'phone': 0.65; 'site.': 0.65; 'details': 0.69; '2012': 0.69; 'behalf.': 0.84; '10:11': 0.91
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=eLt4DbQJKV6H6gNnXSP0z02DsW298E6DM9VIpqefPjc=; b=gQZInuWDHar8IhLp4pF06Pt+9LpaT1+g7pSrMNTtTACufep0W/OeYIpo/EFmE0cC+1 yY5c6hkrfPiHslfxe9l3qKGI8kyo3OgNGVBVJKoVWhHZEUvt1ARywNnJdZsg6PMBk/XI RfXQqXfqgGDWQqyIqlyktkM+R3GOT2XC9uD68C4/+7uteGrDaqrf8tn6xqXJoHMItmRU hlqDr1Hho8+4sZUaaUHxyKw4Y/9IRMOObdGB6bmg3+D6RNGVACIG+KqPBJnuoW4n01GQ lxuVPNipP9DGI2d8Oy1YG/GiLYSB89XA71CSJU5Vrke190zUIsyUjomSE09Xikxkqs21 NDQA==
MIME-Version: 1.0
In-Reply-To: <87haxahh51.fsf@benfinney.id.au>
References: <1973354.3.1332816158529.JavaMail.geo-discussion-forums@pbae2> <87haxahh51.fsf@benfinney.id.au>
Date: Tue, 27 Mar 2012 16:59:25 +0700
Subject: Re: OAuth 2.0 implementation
From: Stuart Bishop <stuart@stuartbishop.net>
To: Ben Finney <ben+python@benfinney.id.au>
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQmWNx5OElP7MerMEsx5Sa5aBCG/7GMGvgBF/HDYH8UOG9xk6AX5Rmmd3LXCMkOs+RtiEzL/
Cc: python-list@python.org
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.1034.1332842368.3037.python-list@python.org>
Lines: 36
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1332842368 news.xs4all.nl 6918 [2001:888:2000:d::a6]:39829
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:22234

On Tue, Mar 27, 2012 at 10:11 AM, Ben Finney <ben+python@benfinney.id.au> wrote:
> Demian Brecht <demianbrecht@gmail.com> writes:
>
>> I'm getting close to an alpha release of an OAuth 2.0 implementation
>> (https://github.com/demianbrecht/py-sanction).
>
> Thank you for doing this work.
>
> As someone who uses OpenID, what can I read about why OAuth is better?

They are different, and often you need to use both.

OpenID allows web sites to authenticate someone. It is not really
useful for anything not an interactive web site. The consuming site
never gets your keys, it just gets confirmation from the provider that
the user is who they claim they are and maybe some details that the
provider chooses to provide such as an email address.

OAuth is for generating authentication keys that allow a program to
authenticate as someone and perform operations on their behalf. You
use OAuth to generate a key so that Foursquare can send messages via
Twitter on your behalf, or so the Facebook client on your phone can
access your account without storing your password. You also get
authentication here, as you can't generate a key without being
authenticated, but the real reason it is used instead of OpenID is so
you can keep the key and keep using it to act as the user; you can
keep using that key until it expires or it is revoked.

Authentication providers that don't provide a webapi just implement
OpenID. Big sites like Google and Facebook implement both OpenID (for
'log in with your GMail account') and OAuth ('post this message to
your Facebook wall').

-- 
Stuart Bishop <stuart@stuartbishop.net>
http://www.stuartbishop.net/