Name: Bearer Token? http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html Or am I wrong?
On Mon, Jun 29, 2015 at 1:08 AM Massimo Di Pierro < massimo.dipie...@gmail.com> wrote: > as you suggested I added unique=True > as you suggested I reduced the number of db queries from 2 to 1 (when not > on GAE) > yes it should check for expiration (will add that) > as you suggested you can now use a header (web2py_api_token) instead of > ?_token=... > I think the manage_tokens page is useful so I will leave it there. > > I also agree with you that this is more like a login method except that it > only works for decorated actions so developer can choose where to allow > this. It does not have to create a session but it may. I would recommend > using session.forget() within the decorated actions but I do not think it > should be default. I can see programs that may want a session to be created. > > I am happy to change api_tokens name with something else. What do you > suggest? > > Massimo > > > On Sunday, 28 June 2015 16:36:24 UTC-5, Niphlod wrote: >> >> Ok, read it carefully....All of that IMHO isn't really what users wants >> to implement a token-based auth on top of an API. >> Apart from the fact that if the scheme of the tokens table gets corrected >> (a FK to the user_id and token unique) the first two queries are >> collapsible into one, calling login_user() triggers update_groups() (not >> sure if an API needs it for every call), plus it renews the session (that >> in an API isn't there for sure), and creates a new Session (and again, the >> cookie-based Session isn't something an API uses or requires) >> >> The way I see it, a token-based authentication is good for a kind of >> cached/speedy authentication. You expect zillion calls to an API and you >> don't want username/passwords flying around, so you publish something >> behind the usual auth that generates a code what identifies you. Or you >> have a zillions mini-programs that needs to call the api and you don't want >> to store username-password combo in each and every program, so you request >> a token. Usually the token is also generated for a "scope", so, e.g., the >> authenticated user with the token can't invalidate all other tokens...of >> change the profile email, etc etc. This goes beyond the scope of a simple >> helper in web2py and goes towards being an oauth provider.... an entire >> different story. >> Let's assume though that the token auth gets the same permissions as the >> usual one... who you are (when you generated the token) is only one piece >> of the info: the other piece is what you're allowed to do with that token. >> For all intents and purposes, a "token-based" auth for an API IMHO >> resembles very closely what in non-API environments is persisted in web2py >> with the Session (under the hook a cookie with the sesson id). Specifically >> the session.auth part. >> >> non-api: You login, the "heavy auth thingies" take place there and only >> there (are you a valid user, is your password correct, which groups are you >> in, did you complete the registration process, and so on), and from there >> on you are issued a "lightweight" Session that relieves web2py from >> constantly checking at every request who you are and what you can do >> (through membership) >> >> api: you request a token for your login, the "heavy auth thingies" take >> place there and only there, and you're issued a "lightweight" token (with >> an optional expiration) that relieves web2py from costantly checking who >> you are and what can you do. >> >> This naming (api_tokens) collides with the implementation: it's slower >> than the default (thinking about basic auth) because it requires at least 3 >> queries for any call (1) is there a token, 2) is there a user with that id >> (duh?), are there groups for that user). On top of that, it creates a new >> session for every call. As it is, it'd better implemented as a new login >> method (and BTW, it surely is just a login method), living in contrib. >> >> >> >> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
