#4633 Supplement oauth with simple api keys
closed
nobody
General
nobody
2015-08-20
2012-07-31
No
Oauth is complicated for end-users, and simple API keys would be easier. A few features to think about:
- security - builtin to oauth, not needed if traffic is on HTTPS
- separate keys per app - a "simple" key approach should still allow multiple keys per account. Let users give them names, create more keys, and revoke keys.
Are there any other features that oauth does provide?
Note that the user story driving this ticket is: "As a project admin, I need an easy, scriptable way to create new project releases." We already have a RESTful API wrapped around updating a file's metadata, but you need to be authenticated to use it.
To be clear, I don't want to replace OAuth support in Allura. I'd just like a token in addition to OAuth.
OAuth seems to work great when you have two websites talking back and forth and they can obscure the complexities of the exchange from the end user. On the other hand, when the end user (i.e., project admin) has to interact with Allura's API, a simple key or token would be much easier.
I don't think we need separate keys per app if we implement a token alongside OAuth. More complicated use cases (i.e., apps) can use OAuth.
Originally by: scoop
I'm implementing bearer tokens in [#6692]
Related
Tickets:
#6692