search

NetsBlox / services

Official NetsBlox services
0 stars 0 forks source link

Add authorization for third-party services hosts #48

Open brollb opened 4 years ago

brollb commented 4 years ago

When adding third-party services hosts (ie, URLs hosting additional netsblox services), the URLs of the used hosts are stored in the project XML. In the case of services which are private and not meant to be shared, it would be good to add authorization support.

Specifically, I am currently imagining support for specifying headers for the requests to the given host. For example, suppose we have our own host to which we would like to add authorization. We could update the host to check for a field like X-Authorization for a secret token. The new service host would be added and configured with the appropriate header "X-Authorization": "<secret token>".

The client would then need to be updated to set the corresponding headers for the given services host.

This could also be used for other forms of identification and configuration (eg, sending the class name to the services host).

DarDoro commented 4 years ago

Registering service key with Api Consumer.setRequiredApiKey(MyService, ApiKey.withValue("")); is not enough to get desired effects? There is, also "Header" section in the service definition XML.

Or do You think of runtime client-supplied credentials or dynamic custom header? AirQuality script pic

brollb commented 4 years ago

I am actually thinking of a third option :)

One recent feature (not yet in the latest release) is the ability to essentially "connect your own netsblox services" where you can spin up your own server that hosts third party services (like here). These third party services can then be added to groups (classes, summer camps, etc) managed from the netsblox dashboard (code available here). Students in these camps will then have access to the custom services which can perform whatever arbitrary task that you would like. For example, you could enable users to train their own word embeddings :)

myRole script pic (18)

However, there is currently an issue with the implementation as the URLs for these auxiliary services are stored in the XML. Not necessarily a problem except if you want to ensure that outsiders don't use your server (this is especially problematic if you are enabling computationally intensive tasks or working with private data). In this case, it would be good to enable these third party services to accept some authorization header which can be customized from the netsblox dashboard and is not stored in the project XMLs.

Does that make sense? For more info about the motivation for training work embeddings, check out https://medium.com/@andersoncliffb/teaching-text-mining-online-dfd94926b18e