Closed jimrothstein closed 5 months ago
IMO, the explanation on that StackOverflow thread is WAY over-complicated. A bearer token is a type of API key. It's supposed to be short-lived, and supposed to have specific scopes associated with it... but, in practice, as an API consumer... it's just a type of API key. You send it in the Authorization header, with the word "Bearer" before the key.
I actually think I need to reduce some of the "how security SHOULD work" stuff in this chapter right now, to focus on what things mean and how to use them. As a consumer, you shouldn't have to care about how to make decisions about what sort of authentication to implement; you don't get to make those decisions. I do want to explain why OAuth2 is complicated so it's a little less frustrating, but we only need a relatively light level right now. We'll go muuuuuuch deeper when we're making our own APIs.
Thanks for the feedback! I hope you find what I come up with helpful, even if it isn't exactly how you would write it!
Not to be argumentive:
Bearer Token=$100 bill instantly conveys 80% (?) of the truth, vs:
A bearer token is a type of API key. It's supposed to be short-lived, and supposed to have specific scopes associated with it... but, in practice, as an API consumer... it's just a type of API key.
When I write my book (hehe), I will define upfront the ways to securly transmit stuff; the problem and then the why-when-how of using http headers, body, encryption .... in any given situtation. (Postive at least 100 other books !)
Thank you for responses ! I'd prefer to address these with peers in group, first. Bring to you after the question has been refined. But I can't get a peep out of anyone else. Perhaps you have suggestion?
Stackoverflow can be fantastic, but requires great patience. Sometimes wikipedia is very best, but not so in this particular use.
oauth2 and authentication ...
Another 2 cents; the underlying problem, how to give minimal access to a 3rd party, we can all understand. The idea is to use a TRUSTED 3rd party.
I suggest avoiding any implemenation or even walking through any of the various schemes that allow this UNTIL the reader has good understanding from 30,000 feet. Also DEFINE** and stay with specific terminology. I am sure 1000 computer scienc books walk though this. ( I NEED TO READ!) This reader (me) still has haziest idea
token
and different kinds.This is opposite approach of httr2 and most implementations (the few I have seen) which leads to excessive confusion, puzzlement, frustration .... Go for the big picture and then say we get THIS KIND OF TOKEn with this function; and THAT TOKEN this way.
DEFINE** is tricky. A mathematician might say REAL numbers are some kind of field with these properties and I'd be clueless. A number is like $0.2 (two cents), something we all understand.
UPDATE: It's all in stackoverflow, if one has patience and determination (I usually don't). https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly But this much is CLEAR. Bearer Token = $100 bill free to spend, no need to prove who you are .... On to the next
token
....