Difference between revisions of "CLARIN/OAuth2 real world usage"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(23 intermediate revisions by one other user not shown)
Line 1: Line 1:
[http://tools.ietf.org/html/draft-ietf-oauth-v2 OAuth2] is gaining traction. To learn about how it is used in practice, I have compiled a table of known implementations. This will help in assessing how to put this technology into use for [[User:Wvengen@nikhef.nl/OAuth2|CLARIN]].
+
{{CLARIN}}
 +
'''NOTE''': THIS PAGE NEEDS UPDATING
 +
 
 +
[http://tools.ietf.org/html/draft-ietf-oauth-v2 OAuth2] is gaining traction. To learn about how it is used in practice, I have compiled a table of known implementations. This will help in assessing how to put this technology in use for CLARIN.
 +
 
 +
Please note that this is far from complete. There must be dozens of other providers, and full documentation of existing implementations was not always publically available; information may be outdated as well.
  
 
{| class=wikitable
 
{| class=wikitable
Line 56: Line 61:
 
|
 
|
 
|
 
|
|
+
|[https://login.salesforce.com/help/doc/en/remoteaccess_oauth_SAML_bearer_flow.htm X]
 
|
 
|
 
|
 
|
Line 268: Line 273:
 
|
 
|
 
| (1)
 
| (1)
 
+
|-
 +
|[https://live.numote.com/developers/docs Numote Live]
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[https://developer.svpply.com/ Svpply]
 +
|
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[https://www.breezy.com/developers Breezy]
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[http://dev.orcid.org/docs/query-api Orcid]
 +
|[https://docs.google.com/document/pub?id=1hEHwKEpQ3wH-qmgmQAgdxdcEIG1jmv6e2-FgdEfW89I 22]
 +
|X
 +
|
 +
|
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[http://via.me/developers/authentication via.me]
 +
|
 +
|X
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[https://github.com/fkooman/php-voot php-voot]
 +
|26
 +
|X
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|<small>[http://openvoot.org/voot-2.0.html VOOT] in [https://foodl.org/ Foodle], [http://www.surfnet.nl/en/Thema/coin/whatis/Pages/default.aspx SURFcontext], [https://www.sympa.org/ Sympa], among others</small>
 +
|-
 +
|Deutsche Telekom
 +
|10
 +
|colspan=7|?
 +
|<small>[http://www.ietf.org/mail-archive/web/oauth/current/msg06844.html see] [http://www.ietf.org/mail-archive/web/oauth/current/msg06844.html here]</small>
 +
|-
 +
|[http://dev.trulioo.com/api-documentation.php Trulioo]
 +
|
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|''refresh''
 +
|-
 +
|[https://developer.concur.com/api-documentation/oauth-20 Concur]
 +
|
 +
|
 +
|
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[http://developers.gigya.com/010_Developer_Guide/85_REST/OAuth2 gigya]
 +
|
 +
|X
 +
|X
 +
|
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|[http://www.deviantart.com/developers/oauth2 deviantart]
 +
|10, 15
 +
|X
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|
 
<!-- row template
 
<!-- row template
 
|-
 
|-
Line 283: Line 402:
 
-->
 
-->
 
|}
 
|}
 +
 +
 +
(0) [http://www.programmableweb.com/apis/directory/1?auth=OAuth2 programmableweb] has a nice list as well; some draft numbers [http://cs.uno.edu/~dbilar/oauth2011.pdf here] and [https://jira.springsource.org/browse/SOCIAL-272?focusedCommentId=73682#comment-73682 here]
  
 
(1) perhaps not fully compliant, SDK omits <tt>response_type</tt> parameter
 
(1) perhaps not fully compliant, SDK omits <tt>response_type</tt> parameter
 +
 +
 +
== Implementation notes ==
 +
OAuth2 requires implementors to make decisions regarding a number of questions (profiling). This includes supported flows and client authentication. Besides that, real-world implementations sometimes differ from the (latest) draft/specification. Some very incomplete notes on that.
 +
 +
* '''[http://dev.bitly.com/authentication.html bit.ly]'''
 +
** does not handle the <tt>state</tt> parameter in the authorization endpoint
 +
** ''client authentication'' using <tt>client_secret</tt> in request parameters
 +
* '''[http://developer.github.com/v3/oauth/ Github]'''
 +
** ''client authentication'' using <tt>client_secret</tt> in request parameters
 +
** needs <tt>Accept: application/json</tt> in request header for JSON responses
 +
* '''[http://developers.gigya.com/010_Developer_Guide/85_REST/OAuth2 gigya]'''
 +
** uses <tt>Authorization: '''OAuth''' ''access_token''</tt> to pass the token

Latest revision as of 15:37, 28 August 2013

<sidebar>

</sidebar> NOTE: THIS PAGE NEEDS UPDATING

OAuth2 is gaining traction. To learn about how it is used in practice, I have compiled a table of known implementations. This will help in assessing how to put this technology in use for CLARIN.

Please note that this is far from complete. There must be dozens of other providers, and full documentation of existing implementations was not always publically available; information may be outdated as well.

Provider draft supported flows note
authz code implicit owner cred client cred device assertion custom
Facebook 12 X X X
Github 07 X
Google, YouTube 22+25 X X jwt
Salesforce 10 X X X
Foursquare X X X
SoundCloud 10 X X X refresh
Geoloqi 10 X X X
Glitch 13 X X
MS Live Connect 15 X X sign-in
bit.ly X xauth
Meetup 15 X X
dailymile 11 X X
LevelUp 11 X
Pinterest X
Yapp
Viadeo X X
Dailymotion 10 X X X
PayPal X
MailChimp 10 X
CheckFront 20 X refresh, expire
Yammer 20 X X
Eventbrite X X
Add to Trip X X (1)
Numote Live
Svpply X
Breezy
Orcid 22 X X
via.me X X
php-voot 26 X X VOOT in Foodle, SURFcontext, Sympa, among others
Deutsche Telekom 10 ? see here
Trulioo X refresh
Concur X
gigya X X X
deviantart 10, 15 X


(0) programmableweb has a nice list as well; some draft numbers here and here

(1) perhaps not fully compliant, SDK omits response_type parameter


Implementation notes

OAuth2 requires implementors to make decisions regarding a number of questions (profiling). This includes supported flows and client authentication. Besides that, real-world implementations sometimes differ from the (latest) draft/specification. Some very incomplete notes on that.

  • bit.ly
    • does not handle the state parameter in the authorization endpoint
    • client authentication using client_secret in request parameters
  • Github
    • client authentication using client_secret in request parameters
    • needs Accept: application/json in request header for JSON responses
  • gigya
    • uses Authorization: OAuth access_token to pass the token