| Time |
S |
Nick |
Message |
| 00:01 |
|
|
qw3rtman joined #rest |
| 00:43 |
|
|
qw3rtman joined #rest |
| 01:49 |
|
|
null_ref joined #rest |
| 02:06 |
|
|
qw3rtman joined #rest |
| 02:22 |
|
|
interop_katatoni joined #rest |
| 02:23 |
|
|
qw3rtman joined #rest |
| 02:30 |
|
|
qw3rtman joined #rest |
| 02:59 |
|
|
Davey joined #rest |
| 04:25 |
|
tmoore |
spaceone: is this the one you're looking for? http://www.w3.org/2000/Talks/1206-xml2k-tbl/slide5-0.html |
| 04:25 |
|
tmoore |
or maybe something else from that deck? |
| 04:28 |
|
|
qw3rtman joined #rest |
| 04:50 |
|
|
rincewind joined #rest |
| 04:57 |
|
|
qw3rtman joined #rest |
| 05:08 |
|
|
wilmoore joined #rest |
| 05:17 |
|
|
talios joined #rest |
| 05:46 |
|
|
ferz joined #rest |
| 05:58 |
|
|
qw3rtman joined #rest |
| 06:59 |
|
|
qw3rtman joined #rest |
| 07:00 |
|
|
sulaiman joined #rest |
| 07:01 |
|
sulaiman |
Hello. I am currently accessing a REST API in my app. All it needs in an application ID and a client ID to perform an operation. Both IDs are stored in my app. How can I make it more secure? |
| 07:37 |
|
tmoore |
sulaiman: do you have control of the server or just the client? |
| 07:41 |
|
sulaiman |
tmoore, just the client |
| 07:42 |
|
tmoore |
and it's a mobile app or something you distribute? |
| 07:42 |
|
sulaiman |
yes, it's a mobile app. both IDs are stored as string constants |
| 07:50 |
|
tmoore |
yeah, that's tricky... nothing you store in the app itself is truly secure |
| 07:51 |
|
tmoore |
if someone stealing the credentials is a big problem, your best bet is to have your own server |
| 07:52 |
|
tmoore |
you can keep the credentials for the API server on that middle server and proxy requests from the app |
| 07:52 |
|
tmoore |
if you're worried about someone using the middle server as a relay for the API, you'd have to make people sign up for per user accounts and secure it that way |
| 08:00 |
|
|
qw3rtman joined #rest |
| 08:58 |
|
|
martinfilliau joined #rest |
| 08:59 |
|
|
Left_Turn joined #rest |
| 09:01 |
|
|
qw3rtman joined #rest |
| 10:03 |
|
|
qw3rtman joined #rest |
| 10:26 |
|
|
shrink0r joined #rest |
| 10:36 |
|
|
ldiamond joined #rest |
| 11:01 |
|
|
graste joined #rest |
| 11:04 |
|
|
qw3rtman joined #rest |
| 11:31 |
|
|
ph88 joined #rest |
| 11:44 |
|
|
DrCode joined #rest |
| 12:05 |
|
|
qw3rtman joined #rest |
| 13:05 |
|
|
qw3rtman joined #rest |
| 14:01 |
|
|
dEPy joined #rest |
| 14:06 |
|
|
qw3rtman joined #rest |
| 14:12 |
|
|
pezra joined #rest |
| 14:47 |
|
|
colton_ joined #rest |
| 14:48 |
|
colton_ |
general question... pass auth token in header or body? |
| 14:49 |
|
|
qw3rtman joined #rest |
| 15:00 |
|
pdurbin |
colton_: redmine let's you pass it three ways: http://www.redmine.org/projects/redmine/wiki/Rest_api#Authentication |
| 15:03 |
|
|
null_ref joined #rest |
| 15:16 |
|
|
wilmoore joined #rest |
| 15:30 |
|
|
fumanchu joined #rest |
| 15:41 |
|
|
fumanchu_ joined #rest |
| 15:45 |
|
|
fumanchu joined #rest |
| 15:47 |
|
|
qw3rtman joined #rest |
| 16:13 |
|
|
ldiamond joined #rest |
| 16:25 |
|
|
danizord joined #rest |
| 16:44 |
|
|
null_ref joined #rest |
| 16:47 |
|
|
danizord joined #rest |
| 16:48 |
|
|
nkoza joined #rest |
| 17:06 |
|
|
wilmoore joined #rest |
| 17:21 |
|
|
qw3rtman joined #rest |
| 17:44 |
|
|
fumanchu_ joined #rest |
| 17:48 |
|
|
fumanchu joined #rest |
| 17:55 |
|
|
fumanchu_ joined #rest |
| 18:05 |
|
|
qw3rtman joined #rest |
| 18:24 |
|
|
ferz joined #rest |
| 19:13 |
|
|
fumanchu joined #rest |
| 19:29 |
|
|
wilmoore joined #rest |
| 19:38 |
|
|
qw3rtman joined #rest |
| 19:59 |
|
|
igitoor joined #rest |
| 19:59 |
|
|
adaro joined #rest |
| 20:13 |
|
|
igitoor joined #rest |
| 20:15 |
|
|
pezra joined #rest |
| 21:25 |
|
|
qw3rtman joined #rest |
| 21:56 |
|
|
fumanchu joined #rest |
| 22:07 |
|
|
talios joined #rest |
| 22:13 |
|
|
talios joined #rest |
| 22:14 |
|
|
talios joined #rest |
| 22:21 |
|
|
fumanchu joined #rest |
| 22:26 |
|
|
qw3rtman joined #rest |
| 22:48 |
|
|
qw3rtman joined #rest |
| 23:23 |
|
|
qw3rtman joined #rest |
| 23:24 |
|
|
fumanchu joined #rest |
| 23:28 |
|
|
slavka`a joined #rest |
| 23:28 |
|
slavka`a |
hey guys... is it generally bad practice to pass a api key in a GET request? |
| 23:30 |
|
whartung |
eh, IMHO "yes", because I don't feel urls should be bound to clients like that. |
| 23:30 |
|
whartung |
resource names should beā¦resource names. |
| 23:31 |
|
slavka`a |
whartung: so how would i pass client identifying information? |
| 23:32 |
|
whartung |
Authorization header |
| 23:34 |
|
slavka`a |
ok thanks |
| 23:36 |
|
whartung |
take a look at Amazons web services. |
| 23:36 |
|
whartung |
I always refer to them when folks are talking about this kind of thing. |
| 23:43 |
|
slavka` |
whartung: i was going to use oauth2 for authentication though |
| 23:44 |
|
whartung |
I'm not familiar enough with oauth2 to comment. |
| 23:50 |
|
slavka` |
whartung: it would propably be more suitable in situations where the client cannot contain a secret key... e.g. a js client |
| 23:52 |
|
whartung |
AWS has leases as well |
| 23:55 |
|
slavka` |
whartung: can you point me to a relevant url? |
| 23:56 |
|
whartung |
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html |
| 23:57 |
|
whartung |
I advocate AWS simply because a) it's well documented, b) it's used by millions upon millons of people every day, including Bad Actors, c) it's vetted by a company with the resources to ensure that it stays secure. |
| 23:57 |
|
whartung |
what it's lacking |
| 23:57 |
|
whartung |
is decent, open server side implementations. |
