[Mailman-Developers] Regarding Authentication of REST API

[Florian Fuchs]

Hi Manish, hi everyone,

2013/4/10 Manish Gill <mgill25 at outlook.com>:
> For the GSoC REST API project, I've been wondering about how
> authentication would work.
>
> OAuth is a way to go if we want authenticated/signed requests. I have a
> few questions regarding that.
>
> - Will Mailman core become an OAuth provider, with Postorius/API being
> the consumers?

Probably not the core itself, but possibly another yet-to-be-written
application that Postorius, Hyperkitty and other clients could use. We
had a long discussion on this list whether to build a central
application to store user data that can be accessed by the different
Mailman-related applications. While we haven't decided yet whether or
how to proceed, this would possibly be the right context for that.

> - If the answer to the above is no, is the plan to support populer OAuth
> providers like Facebook/Twitter ?

Like we discussed on IRC earlier, it would be nice if a site running
Mailman could act as an oAuth provider. Especially since the thought
of a FLOSS mailing list manager requiring an account with a commercial
oAuth service provider to use its API might seem a little odd. But
implementing both the provider as well as the client is probably way
beyond the scope of this GSoC project. Especially since authentication
is only one aspect of it.

> (If not, can you guys please explain how would the authentication
> protocol really work?)
>
> - Since Postorius is already using Mozilla Persona, can that also be
> used to provide authentication to API clients?

Probably not Persona, which is meant to be used in the context of a browser.

But are we sure oAuth is our only option in an API context? Are there
other opinions?

> - Am I over-thinking this? :)

I don't think so. It's not exactly obvious.

BTW, the oauthlib documentation has a nice overview over the different
oAuth workflows [1].


Florian

[1] https://oauthlib.readthedocs.org/en/latest/oauth_1_versus_oauth_2.html