[DAS] Personal genomics/Deploying a DAS server for Dummies/6 Easy steps

[Dan Bolser]

On 16 January 2012 18:31, Andy Jenkinson <andy.jenkinson at ebi.ac.uk> wrote:
> I rather suspect this is a purely mental exercise, but that's fine for me ;)

<snip (too mental for me ;-)>

> OAuth is entirely based upon the notion that the server with the data (e.g. Google Contacts) can trust the application (e.g. the Android Contacts app) to do the right thing with the data. There is no requirement that the person who owns the data, or any other person, has to be present, and the application doesn't have to prove that this will happen. It just has to get the user to agree that the application can be trusted. It's up to us therefore to provide a secure link between OpenID and OAuth.

Right, the person who 'owns' the data (i.e. a list of contacts hosted
on a Google account) explicitly grants the third party 'app'
permission to access the data (via the account) in a specified way (as
defined by the Google APIs). That app can then email all your contacts
in the middle of the night while you're sleeping, but you trust that
that won't happen when you click the 'grant' button.

i.e. I (the verified me) can grant Ensembl permission to access my SNP
genotype data from 23andMe (hah), and I trust Ensemble not to do
anything nasty with that data when I log off.

Although it's a bit of a pain to set this up, the point is that
literally thousands of app developers (including me) have done it
before, and there are hundreds of docs. Here is where I started when I
built a command line twitter bot:
https://dev.twitter.com/docs/auth


I'm not trying to say its quick and easy to do and everyone should do
it like this, I just thought I'd provide the above encapsulation,
which hopefully isn't too far from how it could be done.


Cheers,
Dan.