| Time |
S |
Nick |
Message |
| 00:14 |
|
|
shrink0r_ joined #rest |
| 00:24 |
|
|
shrink0r joined #rest |
| 01:34 |
|
|
Angry_Roy_Fieldi joined #rest |
| 01:44 |
|
|
shrink0r_ joined #rest |
| 02:04 |
|
|
shrink0r joined #rest |
| 02:21 |
|
|
shrink0r joined #rest |
| 02:31 |
|
|
blahdeblah joined #rest |
| 02:45 |
|
|
blahdeblah joined #rest |
| 02:45 |
|
|
blahdeblah joined #rest |
| 03:01 |
|
|
blahdeblah joined #rest |
| 03:01 |
|
|
blahdeblah joined #rest |
| 03:07 |
|
|
blahdeblah joined #rest |
| 03:07 |
|
|
blahdeblah joined #rest |
| 03:11 |
|
|
blahdeblah_ joined #rest |
| 03:16 |
|
|
blahdeblah joined #rest |
| 03:16 |
|
|
blahdeblah joined #rest |
| 03:22 |
|
|
blahdeblah_ joined #rest |
| 03:29 |
|
|
blahdeblah joined #rest |
| 03:29 |
|
|
blahdeblah joined #rest |
| 03:33 |
|
|
blahdeblah_ joined #rest |
| 03:51 |
|
|
lemur joined #rest |
| 04:09 |
|
|
shrink0r joined #rest |
| 04:11 |
|
|
blahdeblah joined #rest |
| 04:11 |
|
|
blahdeblah joined #rest |
| 04:35 |
|
|
diegoaguilar joined #rest |
| 05:58 |
|
|
shrink0r joined #rest |
| 07:37 |
|
|
_ollie joined #rest |
| 07:47 |
|
|
shrink0r joined #rest |
| 08:38 |
|
|
Andre-B joined #rest |
| 08:51 |
|
|
graste joined #rest |
| 09:30 |
|
|
quimrstorres joined #rest |
| 09:36 |
|
|
shrink0r joined #rest |
| 09:37 |
|
|
rosstuck joined #rest |
| 09:52 |
|
|
Left_Turn joined #rest |
| 10:15 |
|
|
quimrstorres joined #rest |
| 10:15 |
|
|
martinfilliau joined #rest |
| 10:24 |
|
|
tr3online joined #rest |
| 10:52 |
|
|
shrink0r joined #rest |
| 11:12 |
|
|
quimrstorres joined #rest |
| 11:41 |
|
|
wsiqueir joined #rest |
| 11:57 |
|
|
whatacold joined #rest |
| 11:59 |
|
|
gamache joined #rest |
| 12:01 |
|
|
mezod joined #rest |
| 12:07 |
|
|
igitoor joined #rest |
| 12:14 |
|
|
zama_ joined #rest |
| 12:15 |
|
|
igitoor joined #rest |
| 12:20 |
|
|
bigbluehat joined #rest |
| 12:20 |
|
|
`0660 joined #rest |
| 12:20 |
|
|
ChrisAnn joined #rest |
| 12:28 |
|
|
quimrstorres joined #rest |
| 12:43 |
|
|
whatacold joined #rest |
| 12:55 |
|
|
tr3online joined #rest |
| 13:37 |
|
|
Andre-B_ joined #rest |
| 13:57 |
|
|
Mxyzpltk joined #rest |
| 14:07 |
|
|
neuro_sys joined #rest |
| 14:08 |
|
neuro_sys |
Authorization and authentication with REST is something I can't quite get my head around. |
| 14:08 |
|
neuro_sys |
Like, let's say the client is somehow authorized, and then authenticated to a rest resource lilke /accounts/{user}/ |
| 14:09 |
|
neuro_sys |
the client GETs the resource /accounts/john/ |
| 14:09 |
|
neuro_sys |
but what if the client has authorized and authenticated as john, but GETs /accounts/marry/ ? |
| 14:09 |
|
neuro_sys |
so Rest service should do AA, right? |
| 14:10 |
|
neuro_sys |
(Actually I was hoping to get AA sorted out in a filter/proxy service before the rest request reaches the rest service) |
| 14:10 |
|
neuro_sys |
so that the rest server would be completely oblivious of any authentication or authoriation. |
| 14:15 |
|
Jarda |
of course you can do that |
| 14:15 |
|
Jarda |
but then the proxy service has to know about resource urls and access control |
| 14:16 |
|
|
nkoza joined #rest |
| 14:17 |
|
neuro_sys |
right, maybe it's best to handle that in the proxy service, so that REST is completely oblivious of any session state etc. |
| 14:17 |
|
Jarda |
I use OAuth2 to authenticate users |
| 14:17 |
|
|
quimrstorres joined #rest |
| 14:17 |
|
Jarda |
every request to the REST service contains the bearer token in Authentication header |
| 14:19 |
|
neuro_sys |
And how does /accounts/{user}/ know if he can serve marry to john or not? |
| 14:19 |
|
neuro_sys |
s/he/it/ |
| 14:20 |
|
neuro_sys |
I should look into implementing OAuth2 though |
| 14:20 |
|
Jarda |
well the service can check authenticated user by reading the Authorization header token value |
| 14:20 |
|
Jarda |
check who owns the token |
| 15:45 |
|
|
tr3online joined #rest |
| 15:57 |
|
|
nkoza joined #rest |
| 16:08 |
|
|
Left_Turn joined #rest |
| 16:12 |
|
|
apennebaker-ni joined #rest |
| 16:52 |
|
|
DrCode joined #rest |
| 16:59 |
|
|
quimrstorres joined #rest |
| 17:25 |
|
|
lemur joined #rest |
| 17:33 |
|
jackalista |
neuro_sys: I prefer leaving the REST sesrvice obilious, myself, I agree with that wholeheartedly. We're using oauth2, scopes and probably xacml somehyow or another to provide authorization |
| 18:14 |
|
|
quimrsto_ joined #rest |
| 18:33 |
|
|
ralphschindler joined #rest |
| 18:53 |
|
|
shrink0r joined #rest |
| 19:31 |
|
|
ralphschindler joined #rest |
| 21:06 |
|
|
quimrstorres joined #rest |
| 21:47 |
|
|
warehouse13 joined #rest |
| 22:07 |
|
|
ralphschindler joined #rest |
| 22:27 |
|
|
quimrstorres joined #rest |
| 22:43 |
|
dreamdust |
I've built services where the authorization token *is* the encrypted session information which includes permissions. |
| 22:43 |
|
neuro_sys |
hah |
| 22:44 |
|
dreamdust |
It has the huge advantage of not requiring a DB or network trip to unpack and validate the session |
| 22:44 |
|
dreamdust |
AFAIK facebook takes a similar approach |
| 22:45 |
|
dreamdust |
Of course you can't really revoke tokens immediately without pushing a code change. |
| 22:45 |
|
dreamdust |
But if you're using OAuth and forcing the clients to come back to you to refresh their access token, you can always refresh stuff then. |
| 22:48 |
|
|
Mxyzpltk joined #rest |
