<meta http-equiv="content-type" content="text/html; charset=utf-8">Hey,<div><br></div><div><br></div><div>I'm writing txOAuth. Basically the idea is to abstract all the OAuth stuff away so that people can just do boring old web auth.</div>
<div><br></div><div>I've seen JP's 60 seconds post but it appears to be HTTP Authentication centric. I'd like to be able to offer users pretty login pages. Also, OAuth logins typically have to inform the user about more stuff, such as who *we* think authenticated the request (as a measure against forgery), and which privileges exactly they've requested. That makes a pretty login page something to want.</div>
<div><br></div><div>I've also found sources on how to do it with Woven, but I'm pretty sure I'm not supposed to do that anymore. Some of them refer to Nevow as the shiny new thing to use, but since I'm not trying to actually BUILD such a login page (I'm merely trying to cater to other people that do), I don't think I need it.</div>
<div><br></div><div>I'm not sure how much of the default stuff can be reused, because OAuth is a bit different: authenticating the end-user (that's you!) relies on redirection. Unfortunately the login page itself might redirect the user many times already, so there must be some way of getting back to my library with a redirectable request</div>
<div><br></div><div>Also I'm not sure if I should be using Cred here or if it's just complicating stuff. I think you can model the three-legged auth as two two-legged auths: the client is authenticating to me, and the end-user is authenticating to me. That way, you could use HTTPAuthSessionWrapper to authenticate clients, and its realm would return the login page. This sounds pretty complex to me.</div>
<div><br></div><div>One really simple API I can think of is just passing a custom object around that has a deferred. Once you've successfully authenticated the end-user, you fire it with a Request (which I can then properly redirect), as explained above. (Same with errback chain; again, I need a request to return the error to the client that initiated the request.)</div>
<div><br></div><div>Any thoughts?</div><div><br></div><div>Thanks,</div><div>lvh</div>