[GMG-Devel] An idea for handling OAuth client registration

[Nathan Yergler]

As I was working on the Android client for MediaGoblin over the
weekend, an issue that came us is how to handle OAuth 2 client
registration. I have an idea of how to handle it that I'd like to get
some feedback on. First, some background.

OAuth 2 (OA2) requires that clients are registered with a service
before making authorization requests. When a client registers, a
Client ID and "Secret" are generated. [I put Secret in quotes because
I'm not yet clear on the security implications of allowing others to
know your Secret. If people think this idea is Not Insane, I'll do
some careful reading and figure that out so we can make an informed
decision.] The ID and Secret will be different for each registration.
Normally someone developing a client would register for an ID and
Secret, and then include them with their client. For a distributed
service, however, it's more complex: the ID and Secret generated for
each installation would be different, and you don't necessarily know
what installation a user will want to authenticate against.

Thinking about how to balance burden on MediaGoblin administrators and
myself as a client developer, my current idea is to create a plugin
for MediaGoblin that just provides a known ID and Secret for
MediaGoblin for Android. If you wanted support MGA on your MediaGoblin
installation, you'd simply "pip install mg-android-keys" and add it to
the list of installed plugins. The plugin would either insert the
values into the database, or via a hook that the OAuth plugin knows to
trigger.

Thoughts?

NRY