On 10/21/2013 08:45 PM, Chris Steipp wrote:
Hi all,
I wanted to get some input from you all about any ideas or plans they have for identifying OAuth user in your applications. tl;dr, Since lots of people want to do authentication with OAuth, I'm thinking we'll implement a custom way to get identity information from the wiki in the near term, and then probably try to implement the OpenID Connect extension to OAuth 2 sometime next year.
+1. I especially like the part about being able to verify signed assertions and identity without hitting the DB, which is very useful for high-volume APIs.
Does this seem like a reasonable tradeoff? Assuming we do this direction, what attributes about the wiki user account should be provided. I was planning on username, if the account is autoconfirmed, maybe number of edits, and the list of groups to which the user belongs. Anything else?
It would be great if the JWT could carry the same authorization info as is retrieved from the DB in OAuth 1. I'm especially interested in knowing whether a user can read, edit etc a given wiki page, whether it is a bot account etc. We could perhaps derive this information from a list of groups by exposing the per-group rights through an internal JSON API and then expanding groups to rights in an API end point using that information.
Gabriel