[Mailman-Developers] Regarding Authentication of REST API

Manish Gill mgill25 at outlook.com
Wed Apr 17 11:15:23 CEST 2013 

On 04/17/2013 02:43 AM, Florian Fuchs wrote:
> Hi Manish, hi everyone,
>
> 2013/4/10 Manish Gill <mgill25 at outlook.com>:
>> For the GSoC REST API project, I've been wondering about how
>> authentication would work.
>>
>> OAuth is a way to go if we want authenticated/signed requests. I have a
>> few questions regarding that.
>>
>> - Will Mailman core become an OAuth provider, with Postorius/API being
>> the consumers?
> Probably not the core itself, but possibly another yet-to-be-written
> application that Postorius, Hyperkitty and other clients could use. We
> had a long discussion on this list whether to build a central
> application to store user data that can be accessed by the different
> Mailman-related applications. While we haven't decided yet whether or
> how to proceed, this would possibly be the right context for that.
That makes sense.
>
>> - If the answer to the above is no, is the plan to support populer OAuth
>> providers like Facebook/Twitter ?
> Like we discussed on IRC earlier, it would be nice if a site running
> Mailman could act as an oAuth provider. Especially since the thought
> of a FLOSS mailing list manager requiring an account with a commercial
> oAuth service provider to use its API might seem a little odd. But
> implementing both the provider as well as the client is probably way
> beyond the scope of this GSoC project. Especially since authentication
> is only one aspect of it.
Indeed! This could be made easy if we don't have to take care of the
provider implementation ourselves, like we discussed.
If a third party library exists that could be used to provide this
functionality, it would make things much easier. :)
>> (If not, can you guys please explain how would the authentication
>> protocol really work?)
>>
>> - Since Postorius is already using Mozilla Persona, can that also be
>> used to provide authentication to API clients?
> Probably not Persona, which is meant to be used in the context of a browser.
>
> But are we sure oAuth is our only option in an API context? Are there
> other opinions?
Hmm. I don't know much about it. I looked at Tastypie, and it provides
HTTP Basic Auth [1].
Much simpler, but probably much less secure as well.

[1] http://django-tastypie.readthedocs.org/en/latest/authentication.html
> BTW, the oauthlib documentation has a nice overview over the different
> oAuth workflows [1].
>
>
> Florian
>
> [1] https://oauthlib.readthedocs.org/en/latest/oauth_1_versus_oauth_2.html
>
>
Cool! :)

-- 
- 
Manish Gill
Naeblis on Freenode
@mgill25 on Twitter/Github

More information about the Mailman-Developers mailing list