Hi,
darix and me decided to also post the results of our weekly meetings to
this list. Here's a summary of this week's meeting.
The task for this week was to add support to the frontend so that desktop
clients like osc can add the oauth specific parameters to the http
"Authorization" header. The ruby library was already able to handle this
and therefore I only needed to do a very small change in our urllib2
OAuthHandler which is used by osc.
Using the Authorization header has one drawback:
- the current flow looks like the following: a client makes an unauthorized
API request, the API sends back a 401 to tell the client that it needs to
authenticate. Therefore the response also contains the following http
header: 'WWW-Authenticate: basic realm="Frontend login" '. This indicates
that the client should use basic auth to authenticate with the API. The
question is how we can tell the client that it could also use oauth? Sending
back something like 'WWW-Authenticate: basic, oauth realm="Frontend login" '
will probably break some clients. Fortunately darix had a great idea:
the client simply tells the server which auth methods it supports. This can
be done by adding a new http header like
'Accept-Authentication: OpenID; OAuth;q=0.8, digest;q=0.7, Basic;q=0.5" '
to each request (q indicates which method is preferred, see other http headers
like 'Accept-Language' for the details). If the API needs authorization it
looks at this header and picks the "preferred" method from this list and sends
back 'WWW-Authenticate: