versionone and oauth - why is it so bad?
47 views
Skip to first unread message
Nic Ferrier
Mar 8, 2014, 9:18:27 AM3/8/14
to version...@googlegroups.com
No response to my JS thread so I tried v1 with the python API. OMG. How bad is it?
Oauth is an authorization protocol. It provides a web intercept flow to allow users to authorize applications.
But not content with that VersionOne insists on you pre-authorizing an oauth app by registering it for every member who might use it.
What's the point in that? You've just reduced the very scalable oauth flow to a totally unscalable "give everyone a list of instructions" flow. Useless.
Another problem, the authorization token lasts 600 seconds. 10 minutes. Not 600seconds of inactivity but just 600 seconds.
So if you want something longer than 600seconds you're going to have to re-auth many times. Why?
As a developer I should be able to seek authorization from the user for a period of time.
Another problem, all the APIs are very Google oauth specific. It's as if versionone believes this is a Google protocol. It isn't.
There are many more idiomatic implementations of oauth then the Google ones for Java and Python at least.
But the examples, and indeed the whole implementation, seem stuck around the Google one. Why is this? It should be changed.
If I'm already using an oauth stack in my app why would I develop to another, more exotic, oauth stack from Google.
Hopefully someone from versionone could come here and explain these things. I doubt it though based on the community activity elsewhere around this tool.
Nic Ferrier
Chief Architect
BwinParty
Oauth is an authorization protocol. It provides a web intercept flow to allow users to authorize applications.
But not content with that VersionOne insists on you pre-authorizing an oauth app by registering it for every member who might use it.
What's the point in that? You've just reduced the very scalable oauth flow to a totally unscalable "give everyone a list of instructions" flow. Useless.
Another problem, the authorization token lasts 600 seconds. 10 minutes. Not 600seconds of inactivity but just 600 seconds.
So if you want something longer than 600seconds you're going to have to re-auth many times. Why?
As a developer I should be able to seek authorization from the user for a period of time.
Another problem, all the APIs are very Google oauth specific. It's as if versionone believes this is a Google protocol. It isn't.
There are many more idiomatic implementations of oauth then the Google ones for Java and Python at least.
But the examples, and indeed the whole implementation, seem stuck around the Google one. Why is this? It should be changed.
If I'm already using an oauth stack in my app why would I develop to another, more exotic, oauth stack from Google.
Hopefully someone from versionone could come here and explain these things. I doubt it though based on the community activity elsewhere around this tool.
Nic Ferrier
Chief Architect
BwinParty
Reply all
Reply to author
Forward
0 new messages