greptilian logo

IRC log for #rest, 2015-02-06

https://trygvis.io/rest-wiki/

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
00:14 shrink0r_ joined #rest
00:24 shrink0r joined #rest
01:34 Angry_Roy_Fieldi joined #rest
01:44 shrink0r_ joined #rest
02:04 shrink0r joined #rest
02:21 shrink0r joined #rest
02:31 blahdeblah joined #rest
02:45 blahdeblah joined #rest
02:45 blahdeblah joined #rest
03:01 blahdeblah joined #rest
03:01 blahdeblah joined #rest
03:07 blahdeblah joined #rest
03:07 blahdeblah joined #rest
03:11 blahdeblah_ joined #rest
03:16 blahdeblah joined #rest
03:16 blahdeblah joined #rest
03:22 blahdeblah_ joined #rest
03:29 blahdeblah joined #rest
03:29 blahdeblah joined #rest
03:33 blahdeblah_ joined #rest
03:51 lemur joined #rest
04:09 shrink0r joined #rest
04:11 blahdeblah joined #rest
04:11 blahdeblah joined #rest
04:35 diegoaguilar joined #rest
05:58 shrink0r joined #rest
07:37 _ollie joined #rest
07:47 shrink0r joined #rest
08:38 Andre-B joined #rest
08:51 graste joined #rest
09:30 quimrstorres joined #rest
09:36 shrink0r joined #rest
09:37 rosstuck joined #rest
09:52 Left_Turn joined #rest
10:15 quimrstorres joined #rest
10:15 martinfilliau joined #rest
10:24 tr3online joined #rest
10:52 shrink0r joined #rest
11:12 quimrstorres joined #rest
11:41 wsiqueir joined #rest
11:57 whatacold joined #rest
11:59 gamache joined #rest
12:01 mezod joined #rest
12:07 igitoor joined #rest
12:14 zama_ joined #rest
12:15 igitoor joined #rest
12:20 bigbluehat joined #rest
12:20 `0660 joined #rest
12:20 ChrisAnn joined #rest
12:28 quimrstorres joined #rest
12:43 whatacold joined #rest
12:55 tr3online joined #rest
13:37 Andre-B_ joined #rest
13:57 Mxyzpltk joined #rest
14:07 neuro_sys joined #rest
14:08 neuro_sys Authorization and authentication with REST is something I can't quite get my head around.
14:08 neuro_sys Like, let's say the client is somehow authorized, and then authenticated to a rest resource lilke /accounts/{user}/
14:09 neuro_sys the client GETs the resource /accounts/john/
14:09 neuro_sys but what if the client has authorized and authenticated as john, but GETs /accounts/marry/ ?
14:09 neuro_sys so Rest service should do AA, right?
14:10 neuro_sys (Actually I was hoping to get AA sorted out in a filter/proxy service before the rest request reaches the rest service)
14:10 neuro_sys so that the rest server would be completely oblivious of any authentication or authoriation.
14:15 Jarda of course you can do that
14:15 Jarda but then the proxy service has to know about resource urls and access control
14:16 nkoza joined #rest
14:17 neuro_sys right, maybe it's best to handle that in the proxy service, so that REST is completely oblivious of any session state etc.
14:17 Jarda I use OAuth2 to authenticate users
14:17 quimrstorres joined #rest
14:17 Jarda every request to the REST service contains the bearer token in Authentication header
14:19 neuro_sys And how does /accounts/{user}/ know if he can serve marry to john or not?
14:19 neuro_sys s/he/it/
14:20 neuro_sys I should look into implementing OAuth2 though
14:20 Jarda well the service can check authenticated user by reading the Authorization header token value
14:20 Jarda check who owns the token
15:45 tr3online joined #rest
15:57 nkoza joined #rest
16:08 Left_Turn joined #rest
16:12 apennebaker-ni joined #rest
16:52 DrCode joined #rest
16:59 quimrstorres joined #rest
17:25 lemur joined #rest
17:33 jackalista neuro_sys: I prefer leaving the REST sesrvice obilious, myself, I agree with that wholeheartedly.  We're using oauth2, scopes and probably xacml somehyow or another to provide authorization
18:14 quimrsto_ joined #rest
18:33 ralphschindler joined #rest
18:53 shrink0r joined #rest
19:31 ralphschindler joined #rest
21:06 quimrstorres joined #rest
21:47 warehouse13 joined #rest
22:07 ralphschindler joined #rest
22:27 quimrstorres joined #rest
22:43 dreamdust I've built services where the authorization token *is* the encrypted session information which includes permissions.
22:43 neuro_sys hah
22:44 dreamdust It has the huge advantage of not requiring a DB or network trip to unpack and validate the session
22:44 dreamdust AFAIK facebook takes a similar approach
22:45 dreamdust Of course you can't really revoke tokens immediately without pushing a code change.
22:45 dreamdust But if you're using OAuth and forcing the clients to come back to you to refresh their access token, you can always refresh stuff then.
22:48 Mxyzpltk joined #rest

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

https://trygvis.io/rest-wiki/