OAuth, from what I've read, is useful only when you have end users who
need to give a third party applications access to data behind an API
without having to give away their user-name and password to the third
party. The Social Actions API doesn't have that scenario. That is, the
third partly applications in our scenario are not consumer delegates,
but rather the consumers themselves.
Thoughts anyone?
My suggestion would be to use an old fashion API key and tie it to a
specific referrer (site/page hosting the application). Sort of the way
Google analytics does, for example. This would allow the Social Actions
API to capture meaningful statistics regarding API consuming
applications, and provide a good enough layer of protection/tracking to
allow us to add JSONP support. While this solution doesn't close the
security flaws of JSONP, it allows us to deny access to any offending
application once we become aware of it.
Thought on this too?
--
Jason Mott
Worker-Owner
Software Engineer
Ronin Tech Collective, Inc.
167 Main St. Suite 103
Brattleboro, VT 05301
888.200.5074 x369
http://www.ronincollective.com
Thanks for writing up this issue. Either way, I look forward to being
able to provide rich analytics on the impact of specific applications. I
recall discussing that OAuth would be helpful for providing one user
access to both the Social Actions API and the Social Entrepreneur API.
Would the old fashion API key functionality that you envision permit one
key to be used on two (or more) APIs?
All the best,
Peter
Peter Deitz
Social Actions
Founder / Executive Director
http://www.socialactions.com
USA: 415-425-7482 | Canada: 514-824-3270 | Skype: peterdeitz
http://twitter.com/peterdeitz
http://www.linkedin.com/in/peterdeitz
http://my.socialactions.com/profile/PeterDeitz
I can't think of other use cases for the single sign-on for other API
users. If the traditional API key approach has your vote, let's do that.
I'm hoping there are existing Ruby libraries / code that will assist us
in implementing this feature.
Yes, JSON and JSONP only. :-)
Another quick point --> We may want to auto insert a default and
temporary API key so that the existing apps don't get cut off the moment
this new feature goes live.