On 10/21/2013 08:45 PM, Chris Steipp wrote:
Hi all,
I wanted to get some input from you all about any ideas or plans they have
for identifying OAuth user in your applications.
tl;dr, Since lots of people want to do authentication with OAuth, I'm
thinking we'll implement a custom way to get identity information from the
wiki in the near term, and then probably try to implement the OpenID
Connect extension to OAuth 2 sometime next year.
+1. I especially like the part about being able to verify signed
assertions and identity without hitting the DB, which is very useful for
high-volume APIs.
Does this seem like a reasonable tradeoff? Assuming we
do this direction,
what attributes about the wiki user account should be provided. I was
planning on username, if the account is autoconfirmed, maybe number of
edits, and the list of groups to which the user belongs. Anything else?
It would be great if the JWT could carry the same authorization info as
is retrieved from the DB in OAuth 1. I'm especially interested in
knowing whether a user can read, edit etc a given wiki page, whether it
is a bot account etc. We could perhaps derive this information from a
list of groups by exposing the per-group rights through an internal JSON
API and then expanding groups to rights in an API end point using that
information.
Gabriel