greptilian logo

IRC log for #rest, 2015-04-02

https://trygvis.io/rest-wiki/

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
00:00 seanbrant joined #rest
00:02 seanbrant This more of a JWT security question but here it goes. I have a identity server that returns jwt tokens used as access tokens to auth with my api server. The identity server also allows authing with thridparty services like github. If you connect your github account i’d like to pass your github access token to the api to make github calls. Is it a bad idea to embed that access token into the JWT?
00:06 pdurbin this? JSON Web Tokens - http://jwt.io
00:06 seanbrant yeah
00:07 pdurbin never heard of it but maybe whartung has
00:26 whartung I just have to lol as we continue to replicate all of the XML world in to JSON...
00:26 whartung no, I have not heard of JWT
00:27 whartung good thing the RFC is 35 pages!
00:27 whartung "JSON is easy!"
00:30 whartung I wonder how long it will be before we simply fall back in to sexpressions
00:31 whartung lol
00:32 whartung JSON Web Signature is 67 pages
00:32 seanbrant joined #rest
00:33 pdurbin whartung: are you saying seanbrant should use SAML?
00:34 whartung nope, just cackling as JSON explodes in to the similar complexities that afflicts XML.
00:34 whartung I mean, I agree, JSON LOOKS better than XML, but here they, re-inventing it all over again.
00:35 whartung all that time wasted
00:35 whartung gotta cya tomorrow
00:35 pdurbin o/
00:41 fumanchu_ as long as they're all separate RFC's and not mandatory extensions, let 'em dig their holes
00:41 shrink0r joined #rest
00:46 shrink0r_ joined #rest
00:47 pdurbin seanbrant: you have to get that access token to GitHub somehow
01:12 shrink0r joined #rest
02:04 seanbrant joined #rest
02:05 seanbrant pdurbin: I wasn’t sure if i should query the identity server for it when I need it
02:06 pdurbin tired. going home. maybe i need a diagram
02:43 fumanchu joined #rest
03:38 _ollie joined #rest
03:47 dkm joined #rest
03:49 lemur joined #rest
04:37 tr3onlin_ joined #rest
05:15 tr3online joined #rest
06:37 vanHoesel joined #rest
07:44 tr3online joined #rest
08:02 rhyselsmore joined #rest
08:06 shrink0r joined #rest
08:43 vanHoesel joined #rest
08:47 shrink0r joined #rest
08:52 quimrstorres joined #rest
08:54 graste joined #rest
08:57 quimrstorres joined #rest
09:08 quimrsto_ joined #rest
09:16 Left_Turn joined #rest
09:41 mezod joined #rest
09:59 benaiah joined #rest
11:29 interop_madness joined #rest
11:58 quimrstorres joined #rest
13:24 blahdeblah_ joined #rest
13:35 blahdeblah joined #rest
13:35 blahdeblah joined #rest
14:04 quimrstorres joined #rest
14:28 quimrstorres joined #rest
15:31 quimrstorres joined #rest
16:27 lemur joined #rest
17:38 jackalista joined #rest
17:39 jackalista What are people seeing as best practices for fine grained access control within the REST world?    I would have thought that XACML's JSON binding for REST would be a slam
17:40 jackalista dunk, as it separates access logic from app / API business logic but I'm not seeing ubiquitous adoption.  What's the deal?
17:41 jackalista smark remarks encouraged, serious responses preferred ;)
17:49 * pdurbin looks at http://en.wikipedia.org/wiki/XACML
17:49 fumanchu (in my least snarky voice) how much ubiquity should one expect? I've been doing web dev for 15 years and have yet to need to share and therefore standardize on access control management
17:51 tr3online joined #rest
17:55 pdurbin jackalista: how fine grained are we talking?
17:55 tr3online joined #rest
18:00 whartung xacml is basically for redaction
18:46 tr3online joined #rest
18:49 shrink0r joined #rest
18:49 vanHoesel I've been pondering and actually created an implentation as well for (what i call for now) HTTP-Authoring... and like to get some feed back
18:50 vanHoesel Basicly, it does the for unsafe methods, what Content -Negotiation does for GET
18:51 vanHoesel where with GET we can request the server to give us a representation in a specific language
18:51 vanHoesel ... using "Accept-Language: foo"
18:53 vanHoesel I would like to see that we use "Content-Language: bar" for the other methods, telling the server the language we represent when doing a POST or PUT
18:55 vanHoesel or doing more scary stuff "adding a new translation with PUT" (since we have the URI) and removing one single representation when doing "DELETE with a Content-LAnguage" or the entire resource, without
18:55 vanHoesel #### this all, to avoid nasty URL that include a language subtrtee of the api
19:05 shrink0r_ joined #rest
19:17 shrink0r joined #rest
19:22 tr3online joined #rest
19:29 jackalista Hey -- sorry, in meetings, but will pop back shortly.  We are financial systems, and handling payments for well known companies and individuals so
19:30 jackalista sec must be tight
19:30 jackalista generally looking at base pf RBAC with layer of ABAC tightening.  I have seen XACML, and it may be the answer (pdurbin, thx!)
19:30 jackalista but I am wondering why isn't XACML more widely adopted?
19:32 jackalista we have complex data, and several sets of users.  Some are our FTE's, some are our client's FTE's and some are freelancvers, basically, who have access now, and to multiple parties, butwill have access curtailed shortly
19:32 jackalista due to finishing a contract, etc.
19:33 jackalista fine grained might mean that youy have access to budgets, but just those of a specific client, and only those of that client relating to a specific project, or set of projects, for ecxample.  Make sense?
19:33 jackalista Thank you, very intersted in what you have to say.  XACML is good as it's seprate from biz logic, but does it scale?  And how best to scale it?  Etc...
19:42 pdurbin jackalista: no idea if this is of interest but a coworker of mine developed a whole permissions system thing that we think is pretty granualar: http://iqss.github.io/javaone2014-bof5619/#40
19:48 jackalista thanks pdurbin, will check that out
20:12 jackalista love the head first design patternss, lol
20:12 jackalista as if!  :P
20:19 pdurbin :)
20:20 pdurbin whartung: I'm getting a lot of mileage out of those slides. :)
20:20 whartung :)
20:21 whartung xacml isn't popular jackalista because it's overcomplicated.
20:44 tr3onlin_ joined #rest
21:35 whartung_ joined #rest
21:37 philbot joined #rest
21:37 Topic for #rest is now #rest REpresentational State Transfer | logs: http://irclog.greptilian.com/rest/today |  http://tech.groups.yahoo.com/group/rest-discuss | http://code.google.com/p/implementing-rest/ | http://en.wikipedia.org/wiki/Representational_State_Transfer
21:38 csgeek joined #rest
21:39 dkm joined #rest
21:57 hackel joined #rest
22:02 tr3online joined #rest
22:44 huckleberry78 joined #rest
23:41 pezra joined #rest

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

https://trygvis.io/rest-wiki/