Please support a way for the API to be more strict about authentication failure

47 views
Skip to first unread message

Daniel Jalkut

unread,
Aug 21, 2012, 4:40:24 PM8/21/12
to tumbl...@googlegroups.com
A number of the problems I've run into over the past few weeks have been based in an illusion of authentication because the 2.0 API is so forthcoming with results even when authentication has in fact failed.

I would like, for example, to be assured that if I offer a stale/revoked access token, I will get some kind of error instead of the API just quietly returning a subset of post types (public posts).

I would love it if one of the following changes were made to the API:

1. If any OAuth credentails are offered to the API, strictly reject the request as not authorized if the credentials are not good. This would leave the API functioning in its "offer as much as we can" behavior to clients who are not providing OAuth credentials, but for those of us who are offering credentials, the bad request would yield a response that would be interpreted to prompt the user for new credentials.

2. Support a request parameter along the lines of "requireFullAuthentication=1" an strictly fail if a client hasn't provided full authentication details.

What do you think? Something to both eliminate the "false success" and provide a reliable means of prompting users for full authentication when a token has expired will be welcome.

(NOTE: I realize I could make some OAuth-only request like /user/info to "test" the validity of my OAuth tokens, but I don't want to have to constantly pre-flight the tokens just to make sure there isn't a need to refresh the authentication.)

Daniel

Reply all
Reply to author
Forward
0 new messages