Time  Nick       Message
20:21 ruibritopt trygvis: is this right?
20:21 ruibritopt trygvis: the token for me will be a random bit-string that I will store in a Table Tokens with (@ID token, and @User userID), just so I know which token a user belongs to
20:19 ruibritopt trygvis: I am building my REST WS with Jersey and Spring, my client will be built in JS, do you know or recommend any examples or tutorials? I am very new at this
20:18 trygvis    with www-authenticate the client will send the token every time
20:17 trygvis    there's no need for the session in the interaction
20:16 ruibritopt trygvis: is this the correct way of thinking?
20:15 ruibritopt trygvis: My train of though is login with credentials > if credentials valid > create token and store in DB > Return token/sessionID to client...For every request the client sends the sessionID/Token > Check DB to see correspond User info > if permissions ok then accept
20:15 trygvis    ruibritopt: no, not as long as the user gets the token through something like http's authentication mechanism
19:50 ruibritopt Does saving a sessionID/token that is associated to a user stored in the Database, violates the principle of RestFull web services?
19:48 ruibritopt lufi: did you get your question answered?
12:25 pdurbin    it was quick an easy to support a token rather than a username/password but yeah, I've been meaning to look into OAuth.
08:57 Jarda      over some inhouse systems
08:57 Jarda      I like to go with standards where possible
08:56 lufi       oh i see
08:56 Jarda      both backend and frontend
08:56 Jarda      ready libraries to be used
08:55 lufi       tooling?
08:55 Jarda      there is so much tooling around OAuth2 available
08:55 Jarda      also for pure browser apps
08:54 lufi       @Jarda cool
08:54 lufi       well in my perspective .a good guideline is sending an encrypted hash of the password over ssl
08:54 Jarda      well I myself nowadays do everything with OAuth2
08:54 Jarda      yeah well sending password is not that bad if the API (as it should be) is served over https
08:54 lufi       was thinking of posting a blog about it .you think it will be just fine? no security issues would arise? xD
08:53 Jarda      IMHO a good guideline is that if it can be represented as an HTTP header it's good enough
08:52 Jarda      where token was something that they got when they did a POST to /login
08:52 Jarda      yeah I've once created something like Authorization: MyApp <token>
08:52 lufi       Jarda I see but using basic auth will cause the user to send his password over. anyway just asking for some insights. i did implemented something similar to oauth though.
08:47 Jarda      (Authorization: Basic <base64 representation of user:pass>)
08:47 Jarda      but Basic auth is the other common
08:46 Jarda      session cookies would work too, but they aren't stateless
08:45 Jarda      basically whatever else than sessions
08:44 lufi       Oh as what ive thought. Jarda so are there other ways aside from oauth?
08:35 Jarda      but bearer tokens are a good way of transfering authorization in a stateless manner
08:34 Jarda      of course not
08:26 lufi       is oauth required in developing a restful api?