Req info on OAuth for Tasque (live.gnome.org/Tasque)

1 view
Skip to first unread message

Johnny

unread,
Oct 11, 2008, 12:34:19 PM10/11/08
to Hiveminder API Hackers
Hey guyz,

Currently working on a Hiveminder Backend to tasque (http://
live.gnome.org/Tasque). So far i've have a read only view.

I would like to use OAUTH for authentication for the obvious reasons.
Would like to get a 'Consumer Key' and 'Consumer Secret' for the
service.

Some concerns are : Since Tasque is a opensource project , 'Consumer
Key' and 'Consumer Secret' will be in the public repo. Will that be a
issue ?

TIA !

Johnny

Sartak

unread,
Oct 11, 2008, 9:30:59 PM10/11/08
to hivemin...@googlegroups.com
On Sat, Oct 11, 2008 at 12:34 PM, Johnny <johnn...@gmail.com> wrote:
>
> Hey guyz,

Hi Johnny,

> Currently working on a Hiveminder Backend to tasque (http://
> live.gnome.org/Tasque). So far i've have a read only view.

Cool!

> I would like to use OAUTH for authentication for the obvious reasons.
> Would like to get a 'Consumer Key' and 'Consumer Secret' for the
> service.
>
> Some concerns are : Since Tasque is a opensource project , 'Consumer
> Key' and 'Consumer Secret' will be in the public repo. Will that be a
> issue ?

I'm not sure OAuth is the best fit here. Its focus is on centralized
services interoperating, rather than providing authorization for
secondary clients that the user controls anyway.

Anyone with the Tasque key and secret would be able to act on behalf
of any other user who has authorized Tasque. To fix this we'd have to
have a key and secret for every Tasque user.. which is pretty much the
same as username and password. So it doesn't win us anything to use
OAuth like this, it's just more tedious (since OAuth consumer
credentials must be added manually by us). So I think it would work
better if you instead just ask the user for email and password.

Feel free to crib code from Net::Jifty and Net::Hiveminder for acting
through our API ( http://hiveminder.com/api ), and of course please
ask questions if you have trouble.

> TIA !
>
> Johnny

Shawn
for Hiveminder

Pedro Melo

unread,
Oct 12, 2008, 3:53:04 AM10/12/08
to hivemin...@googlegroups.com

On Oct 12, 2008, at 2:30 AM, Sartak wrote:

>
> On Sat, Oct 11, 2008 at 12:34 PM, Johnny <johnn...@gmail.com>
> wrote:
>> I would like to use OAUTH for authentication for the obvious reasons.
>> Would like to get a 'Consumer Key' and 'Consumer Secret' for the
>> service.
>>
>> Some concerns are : Since Tasque is a opensource project , 'Consumer
>> Key' and 'Consumer Secret' will be in the public repo. Will that be a
>> issue ?
>
> I'm not sure OAuth is the best fit here. Its focus is on centralized
> services interoperating, rather than providing authorization for
> secondary clients that the user controls anyway.

No, OAuth is the perfect fit here. It was designed exactly for this
purpose.

> Anyone with the Tasque key and secret would be able to act on behalf
> of any other user who has authorized Tasque.

No. The Tasque key identifies the application. Each user must go
through the OAuth authorization process. From that, Tasque gets a
user authorization token.


> To fix this we'd have to
> have a key and secret for every Tasque user..

That's what OAuth gives you in the end.

> which is pretty much the
> same as username and password.

Almost true. I can revoke OAuth tokens without changing my password.

> So it doesn't win us anything to use
> OAuth like this, it's just more tedious (since OAuth consumer
> credentials must be added manually by us).

You would need to provide a mechanism to create API keys for
applications, and the OAuth web-based authorization process.


> So I think it would work
> better if you instead just ask the user for email and password.

Please don't. Really.

given away my username and password is the wrong about it.

If you don't want to use OAuth at least create inside Hiveminder a
API key that I can give away to applications. For examepl, Moveable
Type, you have your own login and password for the web interface, but
you have a different token/password for the XML-RPC interface, the
one used by external applications.

Even if the token is the SHA1 of a timestamp, and the original
password, it would be enough. You just need to store the timestamp in
the hiveMinder database.

Best regards,

Sartak

unread,
Oct 12, 2008, 4:12:44 AM10/12/08
to hivemin...@googlegroups.com
On Sun, Oct 12, 2008 at 3:53 AM, Pedro Melo <mel...@gmail.com> wrote:
>> Anyone with the Tasque key and secret would be able to act on behalf
>> of any other user who has authorized Tasque.
>
> No. The Tasque key identifies the application. Each user must go
> through the OAuth authorization process. From that, Tasque gets a
> user authorization token.

Ah yes. It's been too long since I implemented our OAuth. I forgot
that the consumer does not have a way to see all of its access tokens.

> If you don't want to use OAuth [...]

No, we really do! :)

> Best regards,

Johnny, I'll be contacting you off-list so we can set up OAuth for Tasque!

Shawn

Johnny Jacob

unread,
Oct 12, 2008, 6:25:58 AM10/12/08
to hivemin...@googlegroups.com

Awesome. Btw, i have a read-only view of tasque already working. Screenshot : http://picasaweb.google.com/johnnyjacob/RandomBucket#5252079176366293970

Thanks a lot !

--

johnnyjacob.org
Reply all
Reply to author
Forward
0 new messages