pinball_player
Member
You are correct. The best way that Tesla should implement security is as follows:
1. Allow anyone wanting to use the Tesla API to be able to register a 'client' in the Tesla identity service.
2. Use method two above so that the username/password is never known by the service that wants to use the Tesla API
3. The Tesla identity service should have an 'allow access to client xxx' checkbox
4. Issue a short lived access token (5 or so minutes), and a refresh token (good for a long period of time)
5. When the service wanting access needs to, it sends its refresh token, along with the key and secret to get a new access/refresh token
6. Allow the user to disable access to a specific client that was previously allowed (You are no longer using client xxx so you should be able to disable access for that client, but not have to disable all other access.
There is an open source identity provider called Keycloak which we use in the company that I work for that does all of this. This is what Tesla should provide.
Microsoft/Facebook/etc. does this with their logins also.
1. Allow anyone wanting to use the Tesla API to be able to register a 'client' in the Tesla identity service.
2. Use method two above so that the username/password is never known by the service that wants to use the Tesla API
3. The Tesla identity service should have an 'allow access to client xxx' checkbox
4. Issue a short lived access token (5 or so minutes), and a refresh token (good for a long period of time)
5. When the service wanting access needs to, it sends its refresh token, along with the key and secret to get a new access/refresh token
6. Allow the user to disable access to a specific client that was previously allowed (You are no longer using client xxx so you should be able to disable access for that client, but not have to disable all other access.
There is an open source identity provider called Keycloak which we use in the company that I work for that does all of this. This is what Tesla should provide.
Microsoft/Facebook/etc. does this with their logins also.