Time Nick Message 20:21 ruibritopt trygvis: is this right? 20:21 ruibritopt trygvis: the token for me will be a random bit-string that I will store in a Table Tokens with (@ID token, and @User userID), just so I know which token a user belongs to 20:19 ruibritopt trygvis: I am building my REST WS with Jersey and Spring, my client will be built in JS, do you know or recommend any examples or tutorials? I am very new at this 20:18 trygvis with www-authenticate the client will send the token every time 20:17 trygvis there's no need for the session in the interaction 20:16 ruibritopt trygvis: is this the correct way of thinking? 20:15 ruibritopt trygvis: My train of though is login with credentials > if credentials valid > create token and store in DB > Return token/sessionID to client...For every request the client sends the sessionID/Token > Check DB to see correspond User info > if permissions ok then accept 20:15 trygvis ruibritopt: no, not as long as the user gets the token through something like http's authentication mechanism 19:50 ruibritopt Does saving a sessionID/token that is associated to a user stored in the Database, violates the principle of RestFull web services? 19:48 ruibritopt lufi: did you get your question answered? 12:25 pdurbin it was quick an easy to support a token rather than a username/password but yeah, I've been meaning to look into OAuth. 08:57 Jarda over some inhouse systems 08:57 Jarda I like to go with standards where possible 08:56 lufi oh i see 08:56 Jarda both backend and frontend 08:56 Jarda ready libraries to be used 08:55 lufi tooling? 08:55 Jarda there is so much tooling around OAuth2 available 08:55 Jarda also for pure browser apps 08:54 lufi @Jarda cool 08:54 lufi well in my perspective .a good guideline is sending an encrypted hash of the password over ssl 08:54 Jarda well I myself nowadays do everything with OAuth2 08:54 Jarda yeah well sending password is not that bad if the API (as it should be) is served over https 08:54 lufi was thinking of posting a blog about it .you think it will be just fine? no security issues would arise? xD 08:53 Jarda IMHO a good guideline is that if it can be represented as an HTTP header it's good enough 08:52 Jarda where token was something that they got when they did a POST to /login 08:52 Jarda yeah I've once created something like Authorization: MyApp <token> 08:52 lufi Jarda I see but using basic auth will cause the user to send his password over. anyway just asking for some insights. i did implemented something similar to oauth though. 08:47 Jarda (Authorization: Basic <base64 representation of user:pass>) 08:47 Jarda but Basic auth is the other common 08:46 Jarda session cookies would work too, but they aren't stateless 08:45 Jarda basically whatever else than sessions 08:44 lufi Oh as what ive thought. Jarda so are there other ways aside from oauth? 08:35 Jarda but bearer tokens are a good way of transfering authorization in a stateless manner 08:34 Jarda of course not 08:26 lufi is oauth required in developing a restful api?