19182Re: [rest-discuss] API Keys
- Nov 29, 2012On Thu, Nov 29, 2012 at 02:16:50PM +0100, Erlend Hamnaberg wrote:
> This seems to indicate that a User and Acces to the API is the same.This isn't the case, otherwise the likes of OAuth (which I mention
> It is not in this case.
later) wouldn't be possible.
> Using Authorization was considered, but we need to use this for userI think you might be missing the greater point I was trying to make,
> authentication. API authorization is a different step.
> AFAIK you MAY NOT send multiple challenges back to the server.
which were that an existing mechanism already exist (RFC 2617):
> The WWW-Authenticate and Authorization headers exist for this veryIn fact, is this very extensibility that OAuth is built upon. OAuth
> purpose. In fact, RFC 2617 is designed to be extensible.
might not be ideal for your particular purpose, but RFC 2617 still
exists to build upon to quite possibly do what you want.
It's possible to build an RFC 2617 auth method that could potentially
bundle multiple challenges in a single aggregate challenge. Including
multiple 'WWW-Authenticate' and 'Authorization' headers is another
Without knowing more about how your system's access management
requirements, it's hard to speculate further. I think it would be more
valuable to propose an auth method built on top of RFC 2617 to support
your requirements rather than a whole new header.
C�at � G�ibhtheach�in - k@... - http://stereochro.me/ - CF9F6473
There are 10^11 stars in the galaxy. That used to be a huge number. But it's
only a hundred billion. It's less than the national deficit! We used to call
them astronomical numbers. Now we should call them economical numbers.
-- Richard Feynman
- << Previous post in topic Next post in topic >>