[openspending-dev] api key

Tryggvi Björgvinsson tryggvi.bjorgvinsson at okfn.org
Thu Aug 22 08:06:25 UTC 2013

On þri 20.ágú 2013 07:49, fukami wrote:
> I basically share the concerns of Eran Hammer, especially about OAuth2.0,
> see http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Oh yeah, this one was horrible and I think this makes implementing OAuth
2.0 a much more difficult task, especially from the ground up. That's
why I would try to find the most commonly used module (if there is any)
and use that one.

If that wouldn't work I'd go for the old version 1.0 which is still
fine, just not as "easy" -- maybe we should just go for 1.0 to protest,
although I seem to recall reading about various different authentication
approaches popping up after Eran wrote this article, maybe it's worth
digging around to find other solutions.

> In my point of view OpenID seems to be more robust. It's also better 
> understood by devs and users (although it has also problems, i.e. it's
> more susceptible to stuff like phishing).

I think since OpenID still relies on passwords it wouldn't be suitable,
at least not for an API interface. It might actually be worth looking
into supporting OpenID as a login mechanism for OpenSpending.

I've also been looking at Mozilla Persona (formerly known as BrowserID).
I think that would be pretty cool and easy to support, and a quick way
for new users to start using and uploading datasets.

> As always it's much easier to criticize than to implement and I'm way 
> better in breaking than making things ^^

:D - but that's still good. You're raising some good points and we need
to hear criticism.

> But I can help with a review if you like.

Since OpenSpending is an open source project we still go by the rule of
thumb that implementor gets to choose how a problem is solved. Those
solutions can't be rejected unless they are insecure, introduce bugs,
break tests etc. and the implementor then has a chance to fix that
thanks to constructive criticism.

Alberto's proposed solution is still better than what we have today so I
think we would all be grateful if we can at least get that one working.
Then Alberto just shouldn't be surprised if at some point it gets
replaced by another solution (be it OAuth or anything else which we all
deem to be a better approach).

The good thing about discussing this on the list is that it gives those
who might be interested in developing it now a chance to do it to save
Alberto the work. So if there's anyone who's interesting in implementing
authentication in OpenSpending which they feel is more secure than the
proposed solution of Alberto then please let us know, we now even have a
reviewer -- fukami I'm accepting your offer on behalf of all of us ;-)

If not then we go with Alberto's solution. Fukami, would you still be
interested in reviewing Alberto's solution?


Tryggvi Björgvinsson

Technical Lead, OpenSpending

The Open Knowledge Foundation <http://okfn.org>

/Empowering through Open Knowledge/

http://okfn.org/ | @okfn <http://twitter.com/OKFN> | OKF on Facebook
<https://facebook.com/OKFNetwork> | Blog <http://blog.okfn.org/> |
Newsletter <http://okfn.org/about/newsletter>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/openspending-dev/attachments/20130822/05af5286/attachment.html>

More information about the openspending-dev mailing list