John (wibbble) wrote in suggestions,

Support OAuth access for LJ API

Support OAuth access for LJ API

Short, concise description of the idea
External tools and LJ clients require your password to be able to log in as you and post to your journal, but if LJ supported OAuth, this wouldn't be required any more.

Full description of the idea
OAuth is similar in concept to OpenID, but while OpenID is about saying 'I am LJ user X', OAuth is about saying 'I give service X access to my LJ'. It gives a revokable way to give external tools (such as meme posting, or cross-service posting) access to your LJ, and could work for LJ clients too.

This would mean that there would be less risk of account hijacking, as you could use external services like LoudTwitter without having to give them your LJ password. Similarly, downloaded LJ clients could use OAuth so that you don't have to trust the client author with your password. Eventually, your password is used only to log into the LiveJournal web site itself.

Instead of entering your password, the external site or LJ client would direct you to a page on LJ which would ask you if you wanted to authorise that site or application. If you say 'yes', it records the details and allows the site or application to access your account. LJ could also provide a list of sites that you've authorised and allow you to revoke any of them at any time. Presently, the only way to 'revoke' access is to change your LJ password, and if you use multiple external sites or LJ clients you'd then need to go and change your LJ password in all the ones you still want to use.

As an example, Twitter have recently implemented OAuth and plan to replace their password-based API authentication with OAuth over time. This will allow Twitter users of services like 'TwitPic' (which posts/hosts images) to post their pictures to Twitter without giving the third-party service their Twitter password.

There's a very good explanation of OAuth on their website:

An ordered list of benefits
  • Improves the security of LJ accounts by limiting the distribution of users' passwords.
  • Provides a means to revoke access if you decide you don't want to use a 3rd-party service.
  • Increases confidence in third-party services as they no longer require users' passwords.
An ordered list of problems/issues involved
  • Would require possibly significant implementation work.
  • May be of no benefit to LJ users that don't use third-party services or downloaded clients.
  • OAuth is still quite new, and isn't in use by lots of people. There may be problems that haven't been discovered yet.
Tags: authentication, § no status
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded