On Thu, May 27, 2010 at 6:13 PM, Robb Shecter <robb(a)weblaws.org> wrote:
Here's the last post I could find on the subject:
For my part, I'm firmly against joining the
"provider but not
consumer" camp. It's of no benefit to anyone . . .
Not totally sure who wrote that. It may have been a while ago though.
Some context would be good.
I just thought of a great benefit, however. Consider
scenario: I want to write a MediaWiki API client for editors;
something like the Wordpress Dashboard. Really give editors a modern
web experience. I'd want to do this as a Rails app: I could build it
quickly and find lots of collaborators via GitHub.
But there's one problem: people would need to log in to Wikipedia
*through my app*. They'd have to enter their username and password to
my app, which would turn around an authenticate via the MediaWiki API.
Policy-wise, this isn't a good thing; that is, giving people the
message that it's ok to type in your credentials to something other
than Wikipedia sites.
And I believe that this is why no such app exists. And further, why
the only similar apps that have been made were fat clients, and e.g.
Windows only. Because then, the credentials stay on the user's
This really calls for OAuth support.
As a warning, it is very likely your application will be blocked if
you store user credentials in your third party app. OAuth support was
originally brought up about a year ago because of a third party app
that did this.
But imagine: If Wikipedia was an OpenID Provider, or
then my Rails app would be the OpenID Consumer. It'd send people to
Wikipedia to log in, and they'd bounce back and begin using the Rails
app. My app would never see any private information.
I believe this would encourage a new wave of 3rd party app
development; everything from big ambitious projects (like my editor
dashboard) to small focussed apps (say, a simple web app just for
editing one's talk page).
OAuth and OpenID as both a provider and a consumer were discussed at
the Berlin developer's workshop, and everyone seemed to agree that all
three were a good idea. OAuth and OpenID can and should be worked
separately. I was planning on working on all three. I don't have time
to tackle this right now. If you want to submit patches for OAuth, I'm
sure you'll get some good feedback, and will get inclusion if done
properly. You may want to do an RFC beforehand.
Consumer support for OpenID is likely going to be more difficult, and
will happen much later than OAuth or OpenID as a provider. Neither
OAuth nor OpenID are likely to get dedicated developer time in the