668
edits
Changes
→BrowserID + REST
We standardize a point of authentication, <tt>/auth</tt>, which exchanges an assertion for an OAuth token and secret, valid for some session duration (30 minutes?). Then, subsequent API calls are made with an OAuth signature header using that token and secret. This is in so-called 2-legged OAuth mode. Thus, apart from the new API call to <tt>/auth</tt>, a REST API does not need to change. Only its authorization header is affected.
In order to make it easier for clients to discover our authentication mechanism, unauthenticated API calls should return
401 Unauthorized
WWW-Authenticate: OAuth+VEP url="/auth"
Other potential approaches: