Dear oAuth Team and Fans, I'm currently evaluating how oAuth2 standards can be our own standards.
I'm currently trying to understand all the details of the draft, so I'm sorry if these points are already in the specification, of if you already talk about these points. oAuth1 ------ We have implemented oAuth1. For our external partners, it was really hard to implement. Just to explain the flow in the internal team was quite complicated. So most of these users have ended by using basic authentication. 1. "oAuth2 Delegation" / chain authentication --------------------------------------------- Here is our need People need to login or register on our system using a user/password or Facebook account. We "delegate" our authentication to an external partner. (First it will be Facebook.) This authentication can be done on a phone or on a web application. What we will basically do: We get an access_token or code from Facebook using either a mobile application, either a web application. Exchange the access_token of facebook for an access token on our platform. We verify the user on facebook on our API. If we make it oAuth2 generic, we basically have a "chain authentication". We give an access if we have an access on another site. 2. Removal: HTTP Basic Authentication for Client Credentials (Eran Hammer-Lahav) ------------------------ If I have understood the flow correctly. I basically agree that the flow is not really good, but I don't think all servers are forced to implement all the flow of oAuth2. (could be marked as optional.) HTTP Basic is really an easy way to "test how it works". So a good first step for people to understand "how an api works" without caring about how oAuth works. We have this flow with our oAuth1 authentication, because we had a need of this flow to make things easier. What we do now is to add to all requests &applicationId=[custId]&applicationSecret=[custPassword] That allow to authenticate with the application and the user at the same time. It's not for the end user, but really for people that integrate our API, to make their life easier. --------------- Avec mes salutations, Best regards, Gabriel Klein (Poken.com) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
