>>>>> "Chris" == Chris Travers <..hidden..> writes: Chris> That's not a bad idea. >> On authentication, yes we can use http auth headers, but do we >> want to explicitly require a session token, too? We're starting >> to delve into OAuth -- which adds a layer of complexity but also >> can take away the need for the remote system to collect the >> password at all. This seems like a good option to support. Chris> A couple questions: 1) For an API aimed at other Chris> applications, why have a session token? What does it buy us? Chris> In the main application we use a session token to enforce a Potentially, it keeps a cleartext password from having to be embedded into a database on the remote system. It's okay if the session token expires in a 2week to 6month time frame, and the remote application has to be re-initialized with a password. (This happens regularly with Newsrob on my Android, with it's access to my Google Reader Account/API) Chris> 2) How does OAuth affect our ability to pass through Chris> credentials to the database? Or would a web services handle Chris> have to do its own authentication? We would have to have a database password in one our tables. Chris> 3) Does the added complexity make sense with general use Chris> cases? I am assuming we are primarily interested in a web Chris> services API for Chris> server integration since a piece of software used primarily Chris> by Chris> the end user would be more likely to just call the db-level Chris> API (which would provide greater control over db Chris> transactions, and the like than one would get from a web Chris> services interface)? Myself, I am thinking about integration with things like point of sale web sites, ticket/time tracking systems, HR systems that deal with payroll (vacation vs regular pay...) Chris> But those formats are not all entirely equivalent are they? Chris> I JSON and XML are close and could be easily supported Chris> together, but they allow nested data structures while form Chris> submissions are flat, right? If we support form type Form submission can be hierarchial. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] ..hidden.. http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition.
Description: PGP signature