search

dslc-io / club-wapir

https://dslc-io.github.io/club-wapir/
2 stars 2 forks source link

oath2 and authentication ... #53

Closed jimrothstein closed 5 months ago

jimrothstein commented 5 months ago

oauth2 and authentication ...

Another 2 cents; the underlying problem, how to give minimal access to a 3rd party, we can all understand. The idea is to use a TRUSTED 3rd party.

I suggest avoiding any implemenation or even walking through any of the various schemes that allow this UNTIL the reader has good understanding from 30,000 feet. Also DEFINE** and stay with specific terminology. I am sure 1000 computer scienc books walk though this. ( I NEED TO READ!) This reader (me) still has haziest idea token and different kinds.

This is opposite approach of httr2 and most implementations (the few I have seen) which leads to excessive confusion, puzzlement, frustration .... Go for the big picture and then say we get THIS KIND OF TOKEn with this function; and THAT TOKEN this way.

DEFINE** is tricky. A mathematician might say REAL numbers are some kind of field with these properties and I'd be clueless. A number is like $0.2 (two cents), something we all understand.

UPDATE: It's all in stackoverflow, if one has patience and determination (I usually don't). https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly But this much is CLEAR. Bearer Token = $100 bill free to spend, no need to prove who you are .... On to the next token ....

jonthegeek commented 5 months ago

IMO, the explanation on that StackOverflow thread is WAY over-complicated. A bearer token is a type of API key. It's supposed to be short-lived, and supposed to have specific scopes associated with it... but, in practice, as an API consumer... it's just a type of API key. You send it in the Authorization header, with the word "Bearer" before the key.

I actually think I need to reduce some of the "how security SHOULD work" stuff in this chapter right now, to focus on what things mean and how to use them. As a consumer, you shouldn't have to care about how to make decisions about what sort of authentication to implement; you don't get to make those decisions. I do want to explain why OAuth2 is complicated so it's a little less frustrating, but we only need a relatively light level right now. We'll go muuuuuuch deeper when we're making our own APIs.

Thanks for the feedback! I hope you find what I come up with helpful, even if it isn't exactly how you would write it!

jimrothstein commented 5 months ago

Not to be argumentive:

Bearer Token=$100 bill instantly conveys 80% (?) of the truth, vs:

A bearer token is a type of API key. It's supposed to be short-lived, and supposed to have specific scopes associated with it... but, in practice, as an API consumer... it's just a type of API key.

When I write my book (hehe), I will define upfront the ways to securly transmit stuff; the problem and then the why-when-how of using http headers, body, encryption .... in any given situtation. (Postive at least 100 other books !)

Thank you for responses ! I'd prefer to address these with peers in group, first. Bring to you after the question has been refined. But I can't get a peep out of anyone else. Perhaps you have suggestion?

Stackoverflow can be fantastic, but requires great patience. Sometimes wikipedia is very best, but not so in this particular use.