Why Would Anybody use OAuth for Internal Integrations!?
I recently had the conversation with the support, that made me ask this question. I have to admin, they were really helpful, and I only have good words for their support. But their their engineering design decision, that had left me baffled.
It goes like this. I was trying to create an integration. They use OAuth, so I was happy. The people will not have troubles connecting. I also wanted to use the scopes, that would only work on the enterprise plans. Most of our customers have the enterprise plans for this service, so I did not foresee any problems.
Except that could not do it. The reason? Since we do not have an enterprise plan, they figured out we would not need the enterprise scopes and we can not request them.
The more I read the documentation, the more I have the suspicious, that they made some assumptions. Namely, that the enterprises need these APIs for their internal scripts. Which could be a perfectly valid assumption.
But if this assumption is true, why use the OAuth system at all? OAuth has a lot of positive sides, but being easy to set up and run in not one of them.
Almost all the common ways of doing the API authentication are simpler, from basic authentication with username and password to using an API Key as the bearer token and so on.
OAuth is only easy for the user, once the entire flow is already established. I don't even want to think about all the things that I would need to set, if I would be making the OAuth integration outside of my company framework. Not sure, I would want to go through the trouble for single integration.
At least they offer a way to generate the token internally and use if, but then why offer the OAuth at all? I am really interested in how many apps created for internal use only even end up going through the OAuth flow at all?
And while I am a great fun of the OAuth, it is an overkill for some cases. And it this scenario it is.
But at least it should be possible that they will extend it in the future. So I will be able to write the integration for other customers. I guess in this case it makes sense to start with the system that would be a better choice in this case?
Because otherwise I just don't understand this decision....