Ask HN: Will I be allowed to do this?
While posting a comment on a news article the other day, I chose to use twitter authentication to log in. Of course, the newspaper website wanted to have access to my tweets, my followers, and the ability to post new tweets on my behalf, none of which I was comfortable giving up just to post on a random news article on a random site. I imagine that this prevents a lot of other people from posting as well.
I am considering creating a new authentication provider that will allow users to authenticate via their twitter, facebook, or google+ accounts, while not allowing any of the invasion of privacy that comes with using the standard OAuth providers.
My concern is that this will be deemed as some form of competition by the respective services and they can simple cut me off and kill my authentication service.
Your advice is greatly appreciated.
6 comments
[ 3.9 ms ] story [ 29.5 ms ] threadI believe you'll find the former is challenging. It would be against the TOS of most authentication providers to do this as an arm's-length intermediary. I think you could do it as the contracted agent of the publisher (which implies a white-label approach). See, for example, the way JanRain works.
The best examples of the latter I can think of are Disqus, Echo, et al. You might want to check them out.
Thanks for the reply. I was thinking to have a standalone service that is clearly demarcated from the host publisher. I wouldn't store passwords, I would simply serve as an authenticator for websites that would use the service as an alternative to the standard oauth provider from twitter or facebook, etc. The issue is that I would probably have an app on their ecosystem to facilitate the process.
BTW, brnr.me sounds like a great service.
I think you're on to something though, there are a lot of sites that want access to far too much, as if the developer cut-pasted all of the scopes they could find.