[ Apologies to anyone receiving this again, but I have had problems with mail delivery and wanted to make sure that everyone got this ]
On Wed, 13 Oct 2010 12:35:54 -0300, Guilherme Salgado salgado@canonical.com wrote:
I think we can use existing libraries (python-oauth and lazr.authentication) and follow the examples of Canonical django projects that support OAuth, to support OAuth on launch-control. However, given that the deadline is very close, the alternative you propose above might be acceptable if the API is served over HTTPS.
lazr.authentication is fairly nice, but also fairly minimal. What is missing from the combination of python-oauth and lazr.authentication is the models for storing tokens etc. via the Django ORM.
We could extract those parts from canonical-identity-provider in to a new app, which would be of use to everyone that wants to do this.
What I like about the lazr.authentication solution is that it integrates with the Django auth system in that you just get a request.user that you can check as you like. Plain django-oauth and django-piston don't seem to have that, and I'd like to keep that separation of concerns if possible.
I think that given that most of the code for the lazr.authentication based solution already exists we could deliver something by Tuesday, but we still don't have an answer to the question of external dependencies.
Zygmunt, have you discussed that question with Spike? Does anyone else know what IS would prefer there?
Thanks,
James