greptilian logo

IRC log for #rest, 2014-11-24

https://trygvis.io/rest-wiki/

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
00:12 lemur joined #rest
00:33 ruibritopt joined #rest
01:00 tr3online joined #rest
01:05 shrink0r joined #rest
01:16 tr3online joined #rest
01:25 pezra joined #rest
01:29 tr3online joined #rest
01:43 lemur joined #rest
02:16 tr3online joined #rest
02:32 lemur joined #rest
03:29 tr3online joined #rest
03:43 tr3online joined #rest
04:15 CentaurWarchief joined #rest
04:19 ruibrito_ joined #rest
04:59 tr3online joined #rest
05:19 shrink0r joined #rest
05:32 tr3online joined #rest
06:03 tr3online joined #rest
06:16 proteusguy joined #rest
06:23 talios joined #rest
06:37 adaro joined #rest
06:40 proteusguy joined #rest
07:08 shrink0r joined #rest
07:42 lemur joined #rest
08:12 tr3online joined #rest
08:15 rosstuck joined #rest
08:22 lufi joined #rest
08:26 ruibritopt joined #rest
08:26 lufi is oauth required in developing a restful api?
08:31 Left_Turn joined #rest
08:34 Jarda of course not
08:35 Jarda but bearer tokens are a good way of transfering authorization in a stateless manner
08:44 lufi Oh as what ive thought. Jarda so are there other ways aside from oauth?
08:45 Jarda basically whatever else than sessions
08:46 Jarda session cookies would work too, but they aren't stateless
08:47 Jarda but Basic auth is the other common
08:47 Jarda (Authorization: Basic <base64 representation of user:pass>)
08:52 lufi Jarda I see but using basic auth will cause the user to send his password over. anyway just asking for some insights. i did implemented something similar to oauth though.
08:52 Jarda yeah I've once created something like Authorization: MyApp <token>
08:52 Jarda where token was something that they got when they did a POST to /login
08:53 Jarda IMHO a good guideline is that if it can be represented as an HTTP header it's good enough
08:54 lufi was thinking of posting a blog about it .you think it will be just fine? no security issues would arise? xD
08:54 Jarda yeah well sending password is not that bad if the API (as it should be) is served over https
08:54 marcoslamuria joined #rest
08:54 Jarda well I myself nowadays do everything with OAuth2
08:54 lufi well in my perspective .a good guideline is sending an encrypted hash of the password over ssl
08:54 lufi @Jarda cool
08:55 Jarda also for pure browser apps
08:55 Jarda there is so much tooling around OAuth2 available
08:55 lufi tooling?
08:56 Jarda ready libraries to be used
08:56 Jarda both backend and frontend
08:56 lufi oh i see
08:57 Jarda I like to go with standards where possible
08:57 Jarda over some inhouse systems
08:57 shrink0r joined #rest
09:39 rue_XIV joined #rest
09:58 tr3online joined #rest
09:58 tr3online joined #rest
10:10 quimrstorres joined #rest
10:10 martinfilliau joined #rest
10:13 quimrstorres joined #rest
10:36 shrink0r joined #rest
11:14 Andre-B joined #rest
11:35 Crippy joined #rest
12:03 quimrstorres joined #rest
12:13 quimrstorres joined #rest
12:25 pdurbin it was quick an easy to support a token rather than a username/password but yeah, I've been meaning to look into OAuth.
12:28 quimrstorres joined #rest
12:38 proteusguy joined #rest
12:56 interop_madness joined #rest
13:25 imanc joined #rest
13:26 ramsey joined #rest
13:26 ekroon_ joined #rest
13:26 blindscreen_ joined #rest
13:26 gluegadget joined #rest
13:26 locks joined #rest
14:20 Andre-B joined #rest
14:34 quimrstorres joined #rest
14:51 Andre-B joined #rest
14:58 aGHz joined #rest
14:59 quimrstorres joined #rest
15:14 saml joined #rest
15:25 quimrstorres joined #rest
17:15 ruibritopt joined #rest
17:59 heath joined #rest
18:00 quimrstorres joined #rest
19:31 marcoslamuria joined #rest
19:48 ruibritopt lufi: did you get your question answered?
19:50 ruibritopt Does saving a sessionID/token that is associated to a user stored in the Database, violates the principle of RestFull web services?
19:54 shrink0r joined #rest
20:15 trygvis ruibritopt: no, not as long as the user gets the token through something like http's authentication mechanism
20:15 ruibritopt trygvis: My train of though is login with credentials > if credentials valid > create token and store in DB > Return token/sessionID to client...For every request the client sends the sessionID/Token > Check DB to see correspond User info > if permissions ok then accept
20:16 ruibritopt trygvis: is this the correct way of thinking?
20:17 trygvis there's no need for the session in the interaction
20:18 trygvis with www-authenticate the client will send the token every time
20:19 ruibritopt trygvis: I am building my REST WS with Jersey and Spring, my client will be built in JS, do you know or recommend any examples or tutorials? I am very new at this
20:19 marcoslamuria joined #rest
20:21 ruibritopt trygvis: the token for me will be a random bit-string that I will store in a Table Tokens with (@ID token, and @User userID), just so I know which token a user belongs to
20:21 ruibritopt trygvis: is this right?
20:24 tr3online joined #rest
20:42 marcoslamuria joined #rest
20:54 talios joined #rest
21:02 shrink0r_ joined #rest
21:37 shrink0r joined #rest
21:55 jackalista joined #rest
22:19 tr3online joined #rest
22:21 shrink0r_ joined #rest
22:31 proteusguy joined #rest
22:34 ruibritopt joined #rest
22:55 proteusguy joined #rest

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

https://trygvis.io/rest-wiki/