When we first developed the REST services architecture, we used an Oauth-based authentication scheme. After using the REST services to create external applications ourselves and after communicating with many in our web developer community we have decided to make a change.
We are planning to convert the Authentication and Authorization mechanism for the Tessitura REST API from OAuth to Basic Auth.
OAuth was designed to provide a standard protocol for delegated authentication and authorization. After careful design consideration and feedback from the developer community, we feel that OAuth is not the best fit for the new Tessitura REST API.
OAuth is wonderful for the times when the added complexity of delegated authentication/authorization makes sense. But the complexity is not without cost. For direct stateless services like the Tessitura REST API, OAuth is, at best, a very small win, and possibly even a net loss.
For complete PCI and PA-DSS compliance, we are required to run the services over https. This makes the Tessitura REST API running over https with Basic Auth for authentication and authorization very secure.
This change will ONLY affect developers who are using the REST services for non .NET applications or who have bypassed our .NET helper dll and created their own.
Sometime in the next several months we will be releasing a new version of the API (and tookit) with this change. We wanted to give developers a heads up as early as possible.
Again, this doesn't affect the running of the application at all, just non .NET applications written using the REST services. And we'll make a more formal announcement when we do the actual release.