[PROPOSAL] Remove oAuth for 2.0

[Jan Lehnardt <ja...@apache.org>]

Heya all,

I just had occasion to look into 2.0s oAuth support and it looks like chttpd doesn’t ever talk to couch_httpd_oauth.

In addition, oAuth in 1.x has only ever been half-baked (no automatic handling of tokens among many other things), it is not maintained, and it is barely documented.

I propose to remove it from 2.0 and mark this as a breaking change.

If not, we have to make 2.0 work with what we have, and we’ll have to have somebody willing to do the work.

What do you think?

Best
Jan
-- 

Re: [PROPOSAL] Remove oAuth for 2.0

[Jan Lehnardt <ja...@apache.org>]

> On 10 Sep 2015, at 20:20, Alexander Shorin <kx...@gmail.com> wrote:
> 
> On Thu, Sep 10, 2015 at 8:53 PM, Jan Lehnardt <ja...@apache.org> wrote:
>>> On 10 Sep 2015, at 19:06, Alexander Shorin <kx...@gmail.com> wrote:
>>> 
>>> -1. We need to fix this, not drop.
>> 
>> The feature is already very poor, hard to understand and configure, and again, I don’t know anyone who is using this. “Fixing” this would, imho, mean, starting from scratch and making this properly, just restoring the half-baked 1.x state is not very pretty.
>> 
>> That said, are you volunteering? :)
> 
> Seems like there are no much options.
> 
> I disagree that it's very poor. The only flaws it has is the lack of
> RSA support (our implementation) and open security issues (as auth
> protocol). But is there any good alternative?

I think dropping the feature us a good alternative, given that we have
no maintainers (unless somebody steps up in this thread).

Best
Jan
--

> 
> --
> ,,,^..^,,,

-- 
Professional Support for Apache CouchDB:
http://www.neighbourhood.ie/couchdb-support/

Re: [PROPOSAL] Remove oAuth for 2.0

[Klaus Trainer <kl...@posteo.de>]

On 09/11/2015 06:06 PM, Alexander Shorin wrote:
> JWT is all good except one moment: it's not an alternative for OAuth (:

Yeah, that's true. However there are use cases where the same problem
can be solved by using JWT instead of OAuth, maybe even in a better way.

> And it's hard to say that it's simpler, especially in case of support
> of all the algorithms on browser side. WebCrypto is not a common thing
> yet.

I don't see a point in supporting all available algorithms. Assuming
that we restrict ourself to only implementing the HS256 and RS256
algorithms (at least as a start), which I think would be reasonable
choice, it's likely going to be simpler both from a implementation and
user perspective. Both HS256 and RS256 can be easily used in browsers.
There's even a browser-based debugger available at http://jwt.io/.

> But I'm +1 for JWT support in anyway. It has own good use cases.

Great :)

> P.S. Basically, CouchDB cookies are JWTs, except that payload isn't
> JSON, but binary Erlang term.

Yeah, they're quite similar to HS256 JWTs :)

One limitation with cookies that I've recently been facing is that you
can't rely on them as soon as requests to CouchDB are cross-origin, as
browsers often don't accept third-party cookies. This could be addressed
by including a JWT in the response to requests against the /_session
endpoint, which then could be used for authentication instead of a cookie.

Re: [PROPOSAL] Remove oAuth for 2.0

[Alexander Shorin <kx...@gmail.com>]

On Fri, Sep 11, 2015 at 5:50 PM, Klaus Trainer <kl...@posteo.de> wrote:
>
> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
>> Seems like there are no much options.
>>
>> I disagree that it's very poor. The only flaws it has is the lack of
>> RSA support (our implementation) and open security issues (as auth
>> protocol). But is there any good alternative?
>
> A good alternative would be to support JSON Web Token (JWT) [1].
> Somebody has already done some work for CouchDB 1.6. in this regard [2].
> They managed to outsource authentication to Auth0, while validating JWTs
> issued by Auth0, and creating respective CouchDB sessions with username
> and roles assigned from the JWT [3, 4].
>
> In addition to what's been done in [2], I'd like CouchDB to be able to
> issue JWTs as well, which then could also be used by other applications
> for authentication and authorization.
>
> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
> conceptionally much simpler. It is easy to set up on servers, and easy
> to use for clients (e.g. in the browsers).
>
> Regarding implementing JWT in CouchDB: I'd like to volunteer and can
> allocate time for that.
>
> What do you think about supporting JWT?

JWT is all good except one moment: it's not an alternative for OAuth (:
And it's hard to say that it's simpler, especially in case of support
of all the algorithms on browser side. WebCrypto is not a common thing
yet.

But I'm +1 for JWT support in anyway. It has own good use cases.

P.S. Basically, CouchDB cookies are JWTs, except that payload isn't
JSON, but binary Erlang term.

--
,,,^..^,,,

Re: [PROPOSAL] Remove oAuth for 2.0

[Joan Touzet <wo...@apache.org>]

I was one of the last people to leverage the CouchDB OAuth provider
in a commercial setting. That project ended nearly 4 years ago now.

What we have today is "2-legged" OAuth 1.0 compatibility that grew
out of functionality Ubuntu was looking for with the now-dead
UbuntuOne desktop functionality. It was a hack, a quick hack, and
ill-informed at that.

What most people wanted, back then, was "3-legged OAuth 1.0."
And we never coded that.

What people want today is full OAuth 2.0 or OpenID style functionality,
both as a consumer (log into Couch with your Twitter credentials) and
as a provider (log into a website using your Couch credentials). This
code serves neither purpose, and it's a long way from being there.

Drop the code from the repo.

-joan

----- Original Message -----
> From: "Alexander Shorin" <kx...@gmail.com>
> To: dev@couchdb.apache.org
> Sent: Thursday, September 17, 2015 5:03:14 PM
> Subject: Re: [PROPOSAL] Remove oAuth for 2.0
> 
> I played around with porting oauth to chttpd and what could I say...
> 
> After reading couch_httpd_oauth sources I understand why everyone
> wanted to get it out (:
> 
> OAuth 1.0 as like as OAuth 2.0 can act as auth provider: with special
> series of requests provider ensures that user credentials are valid
> and then moves it to the callback url.
> At the same time it can auth users without third party services.
> 
> We have last part implemented good: oauth_authentication_handler
> works
> right and I as a user happy with it.
> The part that turns CouchDB into auth provider is implemented by a
> half: we have the API, but it uses stubs.
> 
> So technically we have incomplete implementation of OAuth 1.0
> 
> And that's a good reason to drop it completely. Especially since
> OAuth
> 1.0 is deprecated and contains security issues.
> 
> However, our users still may use what we have in production. Our
> OAuth
> support is not just yet another. It's also special fields in user
> documents where personal token/secrets are defied. It's also special
> group of config options. It's also special auth.oauth object for
> replication task. In other words, there are quite much things we can
> break even with current state of things.
> 
> So I propose to limit our OAuth support to reasonable minimum that
> 100% works (auth provider, user docs, replication tasks). Deprecate
> all of this with 2.0 and eventually remove this in-between 2.0-3.0
> period when we'll have a time to provide better alternative solution
> and spread the work enough about to cause smooth migration.
> 
> Sounds good?
> 
> --
> ,,,^..^,,,
> 
> 
> On Fri, Sep 11, 2015 at 11:55 PM, Robert Newson <rn...@apache.org>
> wrote:
> > +1 to remove oauth.
> >
> > Keen to see new authn and authz options for couchdb but that's a
> > separate topic.
> >
> >
> >
> >> On 11 Sep 2015, at 17:38, Jan Lehnardt <ja...@apache.org> wrote:
> >>
> >> Let’s keep things separate.
> >>
> >> I propose moving broken oAuth support from 2.0. I’m prepared to do
> >> the legwork, it shouldn’t take long.
> >>
> >> If someone steps in and fixes oAuth for 2.0 VERY SOON, I’d be okay
> >> with keeping it.
> >>
> >> At this point, we are not discussing additional features for 2.0.
> >>
> >> If we get JWT, it goes into 2.1.
> >>
> >> Best
> >> Jan
> >> --
> >>
> >>
> >>
> >>> On 11 Sep 2015, at 16:50, Klaus Trainer <kl...@posteo.de>
> >>> wrote:
> >>>
> >>> Hi everybody!
> >>>
> >>>> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
> >>>> Seems like there are no much options.
> >>>>
> >>>> I disagree that it's very poor. The only flaws it has is the
> >>>> lack of
> >>>> RSA support (our implementation) and open security issues (as
> >>>> auth
> >>>> protocol). But is there any good alternative?
> >>>
> >>> A good alternative would be to support JSON Web Token (JWT) [1].
> >>> Somebody has already done some work for CouchDB 1.6. in this
> >>> regard [2].
> >>> They managed to outsource authentication to Auth0, while
> >>> validating JWTs
> >>> issued by Auth0, and creating respective CouchDB sessions with
> >>> username
> >>> and roles assigned from the JWT [3, 4].
> >>>
> >>> In addition to what's been done in [2], I'd like CouchDB to be
> >>> able to
> >>> issue JWTs as well, which then could also be used by other
> >>> applications
> >>> for authentication and authorization.
> >>>
> >>> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT
> >>> is
> >>> conceptionally much simpler. It is easy to set up on servers, and
> >>> easy
> >>> to use for clients (e.g. in the browsers).
> >>>
> >>> Regarding implementing JWT in CouchDB: I'd like to volunteer and
> >>> can
> >>> allocate time for that.
> >>>
> >>> What do you think about supporting JWT?
> >>>
> >>>
> >>> [1] https://tools.ietf.org/html/rfc7519
> >>> [2] https://github.com/softapalvelin/couch_jwt_auth
> >>> [3] https://github.com/softapalvelin/getting-started-todo
> >>> [4] https://auth0.com/
> >>
> >> --
> >> Professional Support for Apache CouchDB:
> >> http://www.neighbourhood.ie/couchdb-support/
> >>
> 

Re: [PROPOSAL] Remove oAuth for 2.0

[Alexander Shorin <kx...@gmail.com>]

I played around with porting oauth to chttpd and what could I say...

After reading couch_httpd_oauth sources I understand why everyone
wanted to get it out (:

OAuth 1.0 as like as OAuth 2.0 can act as auth provider: with special
series of requests provider ensures that user credentials are valid
and then moves it to the callback url.
At the same time it can auth users without third party services.

We have last part implemented good: oauth_authentication_handler works
right and I as a user happy with it.
The part that turns CouchDB into auth provider is implemented by a
half: we have the API, but it uses stubs.

So technically we have incomplete implementation of OAuth 1.0

And that's a good reason to drop it completely. Especially since OAuth
1.0 is deprecated and contains security issues.

However, our users still may use what we have in production. Our OAuth
support is not just yet another. It's also special fields in user
documents where personal token/secrets are defied. It's also special
group of config options. It's also special auth.oauth object for
replication task. In other words, there are quite much things we can
break even with current state of things.

So I propose to limit our OAuth support to reasonable minimum that
100% works (auth provider, user docs, replication tasks). Deprecate
all of this with 2.0 and eventually remove this in-between 2.0-3.0
period when we'll have a time to provide better alternative solution
and spread the work enough about to cause smooth migration.

Sounds good?

--
,,,^..^,,,


On Fri, Sep 11, 2015 at 11:55 PM, Robert Newson <rn...@apache.org> wrote:
> +1 to remove oauth.
>
> Keen to see new authn and authz options for couchdb but that's a separate topic.
>
>
>
>> On 11 Sep 2015, at 17:38, Jan Lehnardt <ja...@apache.org> wrote:
>>
>> Let’s keep things separate.
>>
>> I propose moving broken oAuth support from 2.0. I’m prepared to do the legwork, it shouldn’t take long.
>>
>> If someone steps in and fixes oAuth for 2.0 VERY SOON, I’d be okay with keeping it.
>>
>> At this point, we are not discussing additional features for 2.0.
>>
>> If we get JWT, it goes into 2.1.
>>
>> Best
>> Jan
>> --
>>
>>
>>
>>> On 11 Sep 2015, at 16:50, Klaus Trainer <kl...@posteo.de> wrote:
>>>
>>> Hi everybody!
>>>
>>>> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
>>>> Seems like there are no much options.
>>>>
>>>> I disagree that it's very poor. The only flaws it has is the lack of
>>>> RSA support (our implementation) and open security issues (as auth
>>>> protocol). But is there any good alternative?
>>>
>>> A good alternative would be to support JSON Web Token (JWT) [1].
>>> Somebody has already done some work for CouchDB 1.6. in this regard [2].
>>> They managed to outsource authentication to Auth0, while validating JWTs
>>> issued by Auth0, and creating respective CouchDB sessions with username
>>> and roles assigned from the JWT [3, 4].
>>>
>>> In addition to what's been done in [2], I'd like CouchDB to be able to
>>> issue JWTs as well, which then could also be used by other applications
>>> for authentication and authorization.
>>>
>>> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
>>> conceptionally much simpler. It is easy to set up on servers, and easy
>>> to use for clients (e.g. in the browsers).
>>>
>>> Regarding implementing JWT in CouchDB: I'd like to volunteer and can
>>> allocate time for that.
>>>
>>> What do you think about supporting JWT?
>>>
>>>
>>> [1] https://tools.ietf.org/html/rfc7519
>>> [2] https://github.com/softapalvelin/couch_jwt_auth
>>> [3] https://github.com/softapalvelin/getting-started-todo
>>> [4] https://auth0.com/
>>
>> --
>> Professional Support for Apache CouchDB:
>> http://www.neighbourhood.ie/couchdb-support/
>>

Re: [PROPOSAL] Remove oAuth for 2.0

[Robert Newson <rn...@apache.org>]

+1 to remove oauth. 

Keen to see new authn and authz options for couchdb but that's a separate topic. 



> On 11 Sep 2015, at 17:38, Jan Lehnardt <ja...@apache.org> wrote:
> 
> Let’s keep things separate.
> 
> I propose moving broken oAuth support from 2.0. I’m prepared to do the legwork, it shouldn’t take long.
> 
> If someone steps in and fixes oAuth for 2.0 VERY SOON, I’d be okay with keeping it.
> 
> At this point, we are not discussing additional features for 2.0.
> 
> If we get JWT, it goes into 2.1.
> 
> Best
> Jan
> --
> 
> 
> 
>> On 11 Sep 2015, at 16:50, Klaus Trainer <kl...@posteo.de> wrote:
>> 
>> Hi everybody!
>> 
>>> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
>>> Seems like there are no much options.
>>> 
>>> I disagree that it's very poor. The only flaws it has is the lack of
>>> RSA support (our implementation) and open security issues (as auth
>>> protocol). But is there any good alternative?
>> 
>> A good alternative would be to support JSON Web Token (JWT) [1].
>> Somebody has already done some work for CouchDB 1.6. in this regard [2].
>> They managed to outsource authentication to Auth0, while validating JWTs
>> issued by Auth0, and creating respective CouchDB sessions with username
>> and roles assigned from the JWT [3, 4].
>> 
>> In addition to what's been done in [2], I'd like CouchDB to be able to
>> issue JWTs as well, which then could also be used by other applications
>> for authentication and authorization.
>> 
>> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
>> conceptionally much simpler. It is easy to set up on servers, and easy
>> to use for clients (e.g. in the browsers).
>> 
>> Regarding implementing JWT in CouchDB: I'd like to volunteer and can
>> allocate time for that.
>> 
>> What do you think about supporting JWT?
>> 
>> 
>> [1] https://tools.ietf.org/html/rfc7519
>> [2] https://github.com/softapalvelin/couch_jwt_auth
>> [3] https://github.com/softapalvelin/getting-started-todo
>> [4] https://auth0.com/
> 
> --
> Professional Support for Apache CouchDB:
> http://www.neighbourhood.ie/couchdb-support/
> 

Re: [PROPOSAL] Remove oAuth for 2.0

[Jan Lehnardt <ja...@apache.org>]

Let’s keep things separate.

I propose moving broken oAuth support from 2.0. I’m prepared to do the legwork, it shouldn’t take long.

If someone steps in and fixes oAuth for 2.0 VERY SOON, I’d be okay with keeping it.

At this point, we are not discussing additional features for 2.0.

If we get JWT, it goes into 2.1.

Best
Jan
--



> On 11 Sep 2015, at 16:50, Klaus Trainer <kl...@posteo.de> wrote:
> 
> Hi everybody!
> 
> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
>> Seems like there are no much options.
>> 
>> I disagree that it's very poor. The only flaws it has is the lack of
>> RSA support (our implementation) and open security issues (as auth
>> protocol). But is there any good alternative?
> 
> A good alternative would be to support JSON Web Token (JWT) [1].
> Somebody has already done some work for CouchDB 1.6. in this regard [2].
> They managed to outsource authentication to Auth0, while validating JWTs
> issued by Auth0, and creating respective CouchDB sessions with username
> and roles assigned from the JWT [3, 4].
> 
> In addition to what's been done in [2], I'd like CouchDB to be able to
> issue JWTs as well, which then could also be used by other applications
> for authentication and authorization.
> 
> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
> conceptionally much simpler. It is easy to set up on servers, and easy
> to use for clients (e.g. in the browsers).
> 
> Regarding implementing JWT in CouchDB: I'd like to volunteer and can
> allocate time for that.
> 
> What do you think about supporting JWT?
> 
> 
> [1] https://tools.ietf.org/html/rfc7519
> [2] https://github.com/softapalvelin/couch_jwt_auth
> [3] https://github.com/softapalvelin/getting-started-todo
> [4] https://auth0.com/
> 

--
Professional Support for Apache CouchDB:
http://www.neighbourhood.ie/couchdb-support/

Re: [PROPOSAL] Remove oAuth for 2.0

[Klaus Trainer <kl...@posteo.de>]

Hi everybody!

On 09/10/2015 08:20 PM, Alexander Shorin wrote:
> Seems like there are no much options.
> 
> I disagree that it's very poor. The only flaws it has is the lack of
> RSA support (our implementation) and open security issues (as auth
> protocol). But is there any good alternative?

A good alternative would be to support JSON Web Token (JWT) [1].
Somebody has already done some work for CouchDB 1.6. in this regard [2].
They managed to outsource authentication to Auth0, while validating JWTs
issued by Auth0, and creating respective CouchDB sessions with username
and roles assigned from the JWT [3, 4].

In addition to what's been done in [2], I'd like CouchDB to be able to
issue JWTs as well, which then could also be used by other applications
for authentication and authorization.

In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
conceptionally much simpler. It is easy to set up on servers, and easy
to use for clients (e.g. in the browsers).

Regarding implementing JWT in CouchDB: I'd like to volunteer and can
allocate time for that.

What do you think about supporting JWT?


[1] https://tools.ietf.org/html/rfc7519
[2] https://github.com/softapalvelin/couch_jwt_auth
[3] https://github.com/softapalvelin/getting-started-todo
[4] https://auth0.com/

Re: [PROPOSAL] Remove oAuth for 2.0

[Alexander Shorin <kx...@gmail.com>]

On Thu, Sep 10, 2015 at 8:53 PM, Jan Lehnardt <ja...@apache.org> wrote:
>> On 10 Sep 2015, at 19:06, Alexander Shorin <kx...@gmail.com> wrote:
>>
>> -1. We need to fix this, not drop.
>
> The feature is already very poor, hard to understand and configure, and again, I don’t know anyone who is using this. “Fixing” this would, imho, mean, starting from scratch and making this properly, just restoring the half-baked 1.x state is not very pretty.
>
> That said, are you volunteering? :)

Seems like there are no much options.

I disagree that it's very poor. The only flaws it has is the lack of
RSA support (our implementation) and open security issues (as auth
protocol). But is there any good alternative?

--
,,,^..^,,,

Re: [PROPOSAL] Remove oAuth for 2.0

[Jan Lehnardt <ja...@apache.org>]

> On 10 Sep 2015, at 19:06, Alexander Shorin <kx...@gmail.com> wrote:
> 
> -1. We need to fix this, not drop.

The feature is already very poor, hard to understand and configure, and again, I don’t know anyone who is using this. “Fixing” this would, imho, mean, starting from scratch and making this properly, just restoring the half-baked 1.x state is not very pretty.

That said, are you volunteering? :)

Best
Jan
--

> --
> ,,,^..^,,,
> 
> 
> On Thu, Sep 10, 2015 at 7:30 PM, Jan Lehnardt <ja...@apache.org> wrote:
>> Oh, and I don’t know anyone who uses this.
>> 
>> Best
>> Jan
>> --
>> 
>>> On 10 Sep 2015, at 18:18, Jan Lehnardt <ja...@apache.org> wrote:
>>> 
>>> Heya all,
>>> 
>>> I just had occasion to look into 2.0s oAuth support and it looks like chttpd doesn’t ever talk to couch_httpd_oauth.
>>> 
>>> In addition, oAuth in 1.x has only ever been half-baked (no automatic handling of tokens among many other things), it is not maintained, and it is barely documented.
>>> 
>>> I propose to remove it from 2.0 and mark this as a breaking change.
>>> 
>>> If not, we have to make 2.0 work with what we have, and we’ll have to have somebody willing to do the work.
>>> 
>>> What do you think?
>>> 
>>> Best
>>> Jan
>>> --
>>> 
>> 
>> --
>> Professional Support for Apache CouchDB:
>> http://www.neighbourhood.ie/couchdb-support/
>> 

-- 
Professional Support for Apache CouchDB:
http://www.neighbourhood.ie/couchdb-support/

Re: [PROPOSAL] Remove oAuth for 2.0

[Garren Smith <ga...@apache.org>]

+1 to delete. I would rather limit the scope of CouchDB 2.0 and rather focus on getting the core out. 


> On 10 Sep 2015, at 7:06 PM, Alexander Shorin <kx...@gmail.com> wrote:
> 
> -1. We need to fix this, not drop.
> --
> ,,,^..^,,,
> 
> 
> On Thu, Sep 10, 2015 at 7:30 PM, Jan Lehnardt <ja...@apache.org> wrote:
>> Oh, and I don’t know anyone who uses this.
>> 
>> Best
>> Jan
>> --
>> 
>>> On 10 Sep 2015, at 18:18, Jan Lehnardt <ja...@apache.org> wrote:
>>> 
>>> Heya all,
>>> 
>>> I just had occasion to look into 2.0s oAuth support and it looks like chttpd doesn’t ever talk to couch_httpd_oauth.
>>> 
>>> In addition, oAuth in 1.x has only ever been half-baked (no automatic handling of tokens among many other things), it is not maintained, and it is barely documented.
>>> 
>>> I propose to remove it from 2.0 and mark this as a breaking change.
>>> 
>>> If not, we have to make 2.0 work with what we have, and we’ll have to have somebody willing to do the work.
>>> 
>>> What do you think?
>>> 
>>> Best
>>> Jan
>>> --
>>> 
>> 
>> --
>> Professional Support for Apache CouchDB:
>> http://www.neighbourhood.ie/couchdb-support/
>> 

Re: [PROPOSAL] Remove oAuth for 2.0

[Alexander Shorin <kx...@gmail.com>]

-1. We need to fix this, not drop.
--
,,,^..^,,,


On Thu, Sep 10, 2015 at 7:30 PM, Jan Lehnardt <ja...@apache.org> wrote:
> Oh, and I don’t know anyone who uses this.
>
> Best
> Jan
> --
>
>> On 10 Sep 2015, at 18:18, Jan Lehnardt <ja...@apache.org> wrote:
>>
>> Heya all,
>>
>> I just had occasion to look into 2.0s oAuth support and it looks like chttpd doesn’t ever talk to couch_httpd_oauth.
>>
>> In addition, oAuth in 1.x has only ever been half-baked (no automatic handling of tokens among many other things), it is not maintained, and it is barely documented.
>>
>> I propose to remove it from 2.0 and mark this as a breaking change.
>>
>> If not, we have to make 2.0 work with what we have, and we’ll have to have somebody willing to do the work.
>>
>> What do you think?
>>
>> Best
>> Jan
>> --
>>
>
> --
> Professional Support for Apache CouchDB:
> http://www.neighbourhood.ie/couchdb-support/
>

Re: [PROPOSAL] Remove oAuth for 2.0

[Jan Lehnardt <ja...@apache.org>]

Oh, and I don’t know anyone who uses this.

Best
Jan
-- 

> On 10 Sep 2015, at 18:18, Jan Lehnardt <ja...@apache.org> wrote:
> 
> Heya all,
> 
> I just had occasion to look into 2.0s oAuth support and it looks like chttpd doesn’t ever talk to couch_httpd_oauth.
> 
> In addition, oAuth in 1.x has only ever been half-baked (no automatic handling of tokens among many other things), it is not maintained, and it is barely documented.
> 
> I propose to remove it from 2.0 and mark this as a breaking change.
> 
> If not, we have to make 2.0 work with what we have, and we’ll have to have somebody willing to do the work.
> 
> What do you think?
> 
> Best
> Jan
> -- 
> 

-- 
Professional Support for Apache CouchDB:
http://www.neighbourhood.ie/couchdb-support/

Re: [PROPOSAL] Remove oAuth for 2.0

[Klaus Trainer <kl...@posteo.de>]

+1


On 09/10/2015 06:18 PM, Jan Lehnardt wrote:
> Heya all,
> 
> I just had occasion to look into 2.0s oAuth support and it looks like chttpd doesn’t ever talk to couch_httpd_oauth.
> 
> In addition, oAuth in 1.x has only ever been half-baked (no automatic handling of tokens among many other things), it is not maintained, and it is barely documented.
> 
> I propose to remove it from 2.0 and mark this as a breaking change.
> 
> If not, we have to make 2.0 work with what we have, and we’ll have to have somebody willing to do the work.
> 
> What do you think?
> 
> Best
> Jan
>