Removing the OAuth 1.0 Support in /direct

[Charles Severance]

Hi all,

*********

I am proposing to remove the ability to use OAuth 1.0 in /direct support in Sakai for 26. 

**********

This was added mostly when folks were actively building mobile apps or portal-to-portal integration in the 2015 era..  The other possible use is for external tools or back-end scripts.  I am pretty sure that the more commonly used way to access /direct is to get a session token (as user) and use that for admin and back-end scripts.  That traditional way to access direct is not going away.

But I could be wrong - hence this big and loud message.

Please take a look at this JIRA:

https://sakaiproject.atlassian.net/browse/SAK-52541

I will build a new way to access /direct server to server using LTI OAuth2 tokens as a replacement for OAuth 1/direct 26.

Ultimately if no one is using this it is kind of a large unnecessary secuarito exposure.

If someone *is* using it - we can come up with a more controlled removal over a longer time period.

**** If you are using direct + OAuth 1.0 - make sure to note it in the above JIRA *****

/Chuck

[Adrian Fish]

+1 from me. Oauth 1 without 2 makes us look like amateurs anyway, imo. Just remove it unless someone’s actively using it. We need to add proper oauth2 support for direct and the webapi endpoints.

--
You received this message because you are subscribed to the Google Groups "Sakai Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/AE872C4F-80C5-43ED-9154-BC01DF1C1B39%40umich.edu.