668
edits
Changes
→BrowserID + REST
== BrowserID + REST ==
[[Image:BrowserIDREST.png|500px]]
We standardize a point of authentication, <tt>/auth</tt>, which exchanges an assertion for an OAuth token and secret, valid for some session duration (30 minutes?). Then, subsequent API calls are made with an OAuth signature header using that token and secret. This is in so-called 2-legged OAuth mode. Thus, apart from the new API call to <tt>/auth</tt>, a REST API does not need to change. Only its authorization header is affected.