>>>>> "Chris" == Chris Travers <..hidden..> writes:
Chris> That's not a bad idea.
>> On authentication, yes we can use http auth headers, but do we
>> want to explicitly require a session token, too? We're starting
>> to delve into OAuth -- which adds a layer of complexity but also
>> can take away the need for the remote system to collect the
>> password at all. This seems like a good option to support.
Chris> A couple questions: 1) For an API aimed at other
Chris> applications, why have a session token? What does it buy us?
Chris> In the main application we use a session token to enforce a
Potentially, it keeps a cleartext password from having to be embedded into
a database on the remote system. It's okay if the session token expires
in a 2week to 6month time frame, and the remote application has to be
re-initialized with a password.
(This happens regularly with Newsrob on my Android, with it's access to
my Google Reader Account/API)
Chris> 2) How does OAuth affect our ability to pass through
Chris> credentials to the database? Or would a web services handle
Chris> have to do its own authentication?
We would have to have a database password in one our tables.
Chris> 3) Does the added complexity make sense with general use
Chris> cases? I am assuming we are primarily interested in a web
Chris> services API for
Chris> server integration since a piece of software used primarily
Chris> by
Chris> the end user would be more likely to just call the db-level
Chris> API (which would provide greater control over db
Chris> transactions, and the like than one would get from a web
Chris> services interface)?
Myself, I am thinking about integration with things like point of sale
web sites, ticket/time tracking systems, HR systems that deal with
payroll (vacation vs regular pay...)
Chris> But those formats are not all entirely equivalent are they?
Chris> I JSON and XML are close and could be easily supported
Chris> together, but they allow nested data structures while form
Chris> submissions are flat, right? If we support form type
Form submission can be hierarchial.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] ..hidden.. http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
Attachment:
pgp0N_OeOfdWb.pgp
Description: PGP signature