launchpadlib users made to authenticate unnecessarily
Bug #385517 reported by
William Grant
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Leonard Richardson |
Bug Description
launchpadlib uses https:/
So it seems that launchpadlib users are gratuitously required to authenticate - with a few lines of code I was able to create a working Launchpad object without credentials. It would often be useful to embed launchpadlib in an application which needs to interrogate Launchpad, and it's a lot more practical if one needn't authenticate first.
Changed in launchpad-foundations: | |
importance: | Undecided → High |
milestone: | none → 2.2.6 |
status: | New → Triaged |
Changed in launchpad-foundations: | |
assignee: | nobody → Leonard Richardson (leonardr) |
status: | Triaged → In Progress |
Changed in launchpad-foundations: | |
milestone: | 2.2.6 → 2.2.7 |
Changed in launchpad-foundations: | |
milestone: | 2.2.8 → 3.0 |
Changed in launchpad-foundations: | |
milestone: | 3.0 → 3.1.11 |
Changed in launchpad-foundations: | |
milestone: | 3.1.11 → 3.1.12 |
Changed in launchpad-foundations: | |
status: | Fix Committed → Fix Released |
Changed in launchpad-foundations: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Francis asked me to investigate the anonymous creation of OAuth credentials. Here's how the workflow could go:
Right now when you start launchpadlib without giving it a set of credentials, you get sent to the credential creation page. You must be logged in to access this page.
Under the new system, you'd be able to see the credential creation page without logging in. In addition to the different types of credentials you can create now, you'd be able to create an anonymous credential. This would take effect as soon as you clicked the button for it.
The other kinds of credentials would only be created once you'd logged in. If you happened to already be logged in through your web browser when you started launchpadlib, you'd be able to create any kind of credential with one click, the way you can now.
Basically we move the point of login to just before the credential is created.
If we do this there will not be much difference between an anonymous credential and a public-read credential associated with a user. The only difference is that there's no way to revoke an anonymous credential. This is a serious problem and I don't have a good answer for it. We'd either need a way of claiming a credential after the fact, or a one-off revocation protocol.