Time |
S |
Nick |
Message |
00:00 |
|
|
seanbrant joined #rest |
00:02 |
|
seanbrant |
This more of a JWT security question but here it goes. I have a identity server that returns jwt tokens used as access tokens to auth with my api server. The identity server also allows authing with thridparty services like github. If you connect your github account i’d like to pass your github access token to the api to make github calls. Is it a bad idea to embed that access token into the JWT? |
00:06 |
|
pdurbin |
this? JSON Web Tokens - http://jwt.io |
00:06 |
|
seanbrant |
yeah |
00:07 |
|
pdurbin |
never heard of it but maybe whartung has |
00:26 |
|
whartung |
I just have to lol as we continue to replicate all of the XML world in to JSON... |
00:26 |
|
whartung |
no, I have not heard of JWT |
00:27 |
|
whartung |
good thing the RFC is 35 pages! |
00:27 |
|
whartung |
"JSON is easy!" |
00:30 |
|
whartung |
I wonder how long it will be before we simply fall back in to sexpressions |
00:31 |
|
whartung |
lol |
00:32 |
|
whartung |
JSON Web Signature is 67 pages |
00:32 |
|
|
seanbrant joined #rest |
00:33 |
|
pdurbin |
whartung: are you saying seanbrant should use SAML? |
00:34 |
|
whartung |
nope, just cackling as JSON explodes in to the similar complexities that afflicts XML. |
00:34 |
|
whartung |
I mean, I agree, JSON LOOKS better than XML, but here they, re-inventing it all over again. |
00:35 |
|
whartung |
all that time wasted |
00:35 |
|
whartung |
gotta cya tomorrow |
00:35 |
|
pdurbin |
o/ |
00:41 |
|
fumanchu_ |
as long as they're all separate RFC's and not mandatory extensions, let 'em dig their holes |
00:41 |
|
|
shrink0r joined #rest |
00:46 |
|
|
shrink0r_ joined #rest |
00:47 |
|
pdurbin |
seanbrant: you have to get that access token to GitHub somehow |
01:12 |
|
|
shrink0r joined #rest |
02:04 |
|
|
seanbrant joined #rest |
02:05 |
|
seanbrant |
pdurbin: I wasn’t sure if i should query the identity server for it when I need it |
02:06 |
|
pdurbin |
tired. going home. maybe i need a diagram |
02:43 |
|
|
fumanchu joined #rest |
03:38 |
|
|
_ollie joined #rest |
03:47 |
|
|
dkm joined #rest |
03:49 |
|
|
lemur joined #rest |
04:37 |
|
|
tr3onlin_ joined #rest |
05:15 |
|
|
tr3online joined #rest |
06:37 |
|
|
vanHoesel joined #rest |
07:44 |
|
|
tr3online joined #rest |
08:02 |
|
|
rhyselsmore joined #rest |
08:06 |
|
|
shrink0r joined #rest |
08:43 |
|
|
vanHoesel joined #rest |
08:47 |
|
|
shrink0r joined #rest |
08:52 |
|
|
quimrstorres joined #rest |
08:54 |
|
|
graste joined #rest |
08:57 |
|
|
quimrstorres joined #rest |
09:08 |
|
|
quimrsto_ joined #rest |
09:16 |
|
|
Left_Turn joined #rest |
09:41 |
|
|
mezod joined #rest |
09:59 |
|
|
benaiah joined #rest |
11:29 |
|
|
interop_madness joined #rest |
11:58 |
|
|
quimrstorres joined #rest |
13:24 |
|
|
blahdeblah_ joined #rest |
13:35 |
|
|
blahdeblah joined #rest |
13:35 |
|
|
blahdeblah joined #rest |
14:04 |
|
|
quimrstorres joined #rest |
14:28 |
|
|
quimrstorres joined #rest |
15:31 |
|
|
quimrstorres joined #rest |
16:27 |
|
|
lemur joined #rest |
17:38 |
|
|
jackalista joined #rest |
17:39 |
|
jackalista |
What are people seeing as best practices for fine grained access control within the REST world? I would have thought that XACML's JSON binding for REST would be a slam |
17:40 |
|
jackalista |
dunk, as it separates access logic from app / API business logic but I'm not seeing ubiquitous adoption. What's the deal? |
17:41 |
|
jackalista |
smark remarks encouraged, serious responses preferred ;) |
17:49 |
|
* pdurbin |
looks at http://en.wikipedia.org/wiki/XACML |
17:49 |
|
fumanchu |
(in my least snarky voice) how much ubiquity should one expect? I've been doing web dev for 15 years and have yet to need to share and therefore standardize on access control management |
17:51 |
|
|
tr3online joined #rest |
17:55 |
|
pdurbin |
jackalista: how fine grained are we talking? |
17:55 |
|
|
tr3online joined #rest |
18:00 |
|
whartung |
xacml is basically for redaction |
18:46 |
|
|
tr3online joined #rest |
18:49 |
|
|
shrink0r joined #rest |
18:49 |
|
vanHoesel |
I've been pondering and actually created an implentation as well for (what i call for now) HTTP-Authoring... and like to get some feed back |
18:50 |
|
vanHoesel |
Basicly, it does the for unsafe methods, what Content -Negotiation does for GET |
18:51 |
|
vanHoesel |
where with GET we can request the server to give us a representation in a specific language |
18:51 |
|
vanHoesel |
... using "Accept-Language: foo" |
18:53 |
|
vanHoesel |
I would like to see that we use "Content-Language: bar" for the other methods, telling the server the language we represent when doing a POST or PUT |
18:55 |
|
vanHoesel |
or doing more scary stuff "adding a new translation with PUT" (since we have the URI) and removing one single representation when doing "DELETE with a Content-LAnguage" or the entire resource, without |
18:55 |
|
vanHoesel |
#### this all, to avoid nasty URL that include a language subtrtee of the api |
19:05 |
|
|
shrink0r_ joined #rest |
19:17 |
|
|
shrink0r joined #rest |
19:22 |
|
|
tr3online joined #rest |
19:29 |
|
jackalista |
Hey -- sorry, in meetings, but will pop back shortly. We are financial systems, and handling payments for well known companies and individuals so |
19:30 |
|
jackalista |
sec must be tight |
19:30 |
|
jackalista |
generally looking at base pf RBAC with layer of ABAC tightening. I have seen XACML, and it may be the answer (pdurbin, thx!) |
19:30 |
|
jackalista |
but I am wondering why isn't XACML more widely adopted? |
19:32 |
|
jackalista |
we have complex data, and several sets of users. Some are our FTE's, some are our client's FTE's and some are freelancvers, basically, who have access now, and to multiple parties, butwill have access curtailed shortly |
19:32 |
|
jackalista |
due to finishing a contract, etc. |
19:33 |
|
jackalista |
fine grained might mean that youy have access to budgets, but just those of a specific client, and only those of that client relating to a specific project, or set of projects, for ecxample. Make sense? |
19:33 |
|
jackalista |
Thank you, very intersted in what you have to say. XACML is good as it's seprate from biz logic, but does it scale? And how best to scale it? Etc... |
19:42 |
|
pdurbin |
jackalista: no idea if this is of interest but a coworker of mine developed a whole permissions system thing that we think is pretty granualar: http://iqss.github.io/javaone2014-bof5619/#40 |
19:48 |
|
jackalista |
thanks pdurbin, will check that out |
20:12 |
|
jackalista |
love the head first design patternss, lol |
20:12 |
|
jackalista |
as if! :P |
20:19 |
|
pdurbin |
:) |
20:20 |
|
pdurbin |
whartung: I'm getting a lot of mileage out of those slides. :) |
20:20 |
|
whartung |
:) |
20:21 |
|
whartung |
xacml isn't popular jackalista because it's overcomplicated. |
20:44 |
|
|
tr3onlin_ joined #rest |
21:35 |
|
|
whartung_ joined #rest |
21:37 |
|
|
philbot joined #rest |
21:37 |
|
|
Topic for #rest is now #rest REpresentational State Transfer | logs: http://irclog.greptilian.com/rest/today | http://tech.groups.yahoo.com/group/rest-discuss | http://code.google.com/p/implementing-rest/ | http://en.wikipedia.org/wiki/Representational_State_Transfer |
21:38 |
|
|
csgeek joined #rest |
21:39 |
|
|
dkm joined #rest |
21:57 |
|
|
hackel joined #rest |
22:02 |
|
|
tr3online joined #rest |
22:44 |
|
|
huckleberry78 joined #rest |
23:41 |
|
|
pezra joined #rest |