To start, I'm sorry I haven't actively replied for a while, I used to get emails whenever there was a new reply and for some reason I haven't got any mails in a long time so I assumed no one had said anything new
(maybe I forgot to mark my last notification as read, and therefore wouldn't get new mails?)
Anyhow, seems like we have some different definitions and thoughts about an API, which have made me a bit confused. If I understand correctly, what @MunchWX wants is an userless API that is private to the board owner, meaning it could interact with phpBB in various ways without being connected to a user, am I right? Say, access to various board features that doesn't need to be in a context of a user (notifications of new posts, moderation, auto-post under a "non-user" account). I'm a bit tired right now and can't think of such an API on the top of my head, maybe something like the Android API where your app can use features of the OS.
That isn't the kind of API I had in mind at all. The API I had in mind was a "User" API, or REST API. Much like how Twitter and Facebook have APIs that allows developers to create apps which can post to Twitter/Facebook on the behalf of the user, like Tweetdeck or Falcon or any other application that can post on Twitter or Facebook under a certain user.
My vision was to let developers create apps that can make use of any forum (and not only a single one at a time, but ability to add multiple forums to the app) where the API is enabled.
Maybe I have been unclear, or maybe I'm the one that's confused, but I thought it would be good to try to define what we want to do.
Regarding the authorization/authentication, it's a hard choice. OAuth2 seems widely used but for some reason I have a really hard time understanding it. I've tried a couple of times and it seems simple enough but then there is some catch or something new and complicated, and I feel like I can't really make a choice without fully understanding what you can do with OAuth2 and how you use the different strategies.
Both auth systems proposed, mine and OAuth2, have their advantages and disadvantages, but maybe the disadvantage of OAuth2 can be worked around if you actually know how each strategy works.
My understanding of OAuth2, as previously discussed, is that the forum needs to know about each app, the app developer has to register their app with each forum the app is used on. This works nice when there is a single service, like Facebook or Twitter, but not so much for where several services (forums) share the same API.
I know we have discussed this before in IRC. It wouldn't be feasible to have an app creator register their app on every phpBB board (how many are there?) since that would take lots of time, and imagine managing hundreds of application keys in your app that you are distributing to your users. The developer might even give the user the responsibility of registering the app on each forum they want to use, but doesn't that defeat the purpose?
A centralized solutions was discussed where app authors would register their apps at phpbb.com, but that's probably not what we want. It would add a large cost and would it go down then the API would stop working completely. Not to mention all the app keys would have to be distributed to each and every board (and I dunno, but the app keys in OAuth2 should be secret, right? With a centralized solution, they can't be secret).
OAuth2 would work fine if forum apps were made specifically for a single forum, but that wasn't my vision from the start when I proposed the API.
My auth system makes it possible to use any app on any board with the API enabled, but obviously it needs work and has it's disadvantages. For example board authors can't control which applications can access the board, and it's a custom-made solution and not very well-tested.
What @MunchWX wanted to do could possibly be implemented in the current API in the future, where you could maybe generate some special keys in the ACP which would allow your app to access the API without having to be connected to a user.
I was thinking a bit about how to approach this. Maybe we could implement both and let the board admin decide what kind of API they want, a board-specific OAuth2 API, or a board-neutral API, or both and give different permissions based on API type. What do you think about that solution? IMO it is up to the board author to decide if they want to open up their board API to everything or just specific apps.