Loading Profile...
Is OAuth an appropriate authorization tool when there is no end-user authorization, just consumer level?
I have an application for which I'm adding an API. OAuth seems like a good idea as there are libraries around the place already. However, I don't need the token exchange and end-user verification. If the consumer gives me the right key for the provided signature, then that's as far as I need to go.
It seems that the 'request token' part of the process is as far as I need to go so long as I can add other request variables into it.
It seems that the 'request token' part of the process is as far as I need to go so long as I can add other request variables into it.
2 people have this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
-
Inappropriate?We're writing a RESTful API that does just that. We use tokens (that we hand back to the consumer) but only as a session simulator / additional validation tool. We are distributing and consuming our own resources. The OAUTH token patten (Authorization) did not fit our needs - we did not need to consume resources from other parties that the user was connected to, but the Authentication fit perfectly.
My personal opinion is that the implementation is appropriate, however by rolling our own tokenization patten, I do not know what impact that would have on standards. We followed the OAUTH Authentication standard, the only difference is that our consumers request tokens from us and consume our resources.
--Nick
