[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Web Services API: URL naming proposal

>>>>> "Chris" == Chris Travers <..hidden..> writes:
    Chris> That's not a bad idea.

    >> On authentication, yes we can use http auth headers, but do we
    >> want to explicitly require a session token, too? We're starting
    >> to delve into OAuth -- which adds a layer of complexity but also
    >> can take away the need for the remote system to collect the
    >> password at all. This seems like a good option to support.

    Chris> A couple questions: 1) For an API aimed at other
    Chris> applications, why have a session token?  What does it buy us?
    Chris> In the main application we use a session token to enforce a

Potentially, it keeps a cleartext password from having to be embedded into
a database on the remote system.  It's okay if the session token expires
in a 2week to 6month time frame, and the remote application has to be
re-initialized with a password.
(This happens regularly with Newsrob on my Android, with it's access to
my Google Reader Account/API)

    Chris> 2) How does OAuth affect our ability to pass through
    Chris> credentials to the database?  Or would a web services handle
    Chris> have to do its own authentication?

We would have to have a database password in one our tables.

    Chris> 3) Does the added complexity make sense with general use
    Chris> cases?  I am assuming we are primarily interested in a web
    Chris> services API for
    Chris> server integration since a piece of software used primarily
    Chris> by
    Chris> the end user would be more likely to just call the db-level
    Chris> API (which would provide greater control over db
    Chris> transactions, and the like than one would get from a web
    Chris> services interface)?

Myself, I am thinking about integration with things like point of sale
web sites,  ticket/time tracking systems,  HR systems that deal with
payroll (vacation vs regular pay...)

    Chris> But those formats are not all entirely equivalent are they?
    Chris> I JSON and XML are close and could be easily supported
    Chris> together, but they allow nested data structures while form
    Chris> submissions are flat, right?  If we support form type

Form submission can be hierarchial.

]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] ..hidden.. http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

Attachment: pgp0N_OeOfdWb.pgp
Description: PGP signature