Open SiBell opened 4 years ago
lukeshope
commented
4 years ago I think it might be worth permitting both, as presumably your use case is trusted parties administering the data (JWT preferred) or trusted parties consuming the data (API keys less hassle).
I'd like to throw HTTP Signatures into the mix too, for trust relationships between different UOs, such as registering sensors against a geography that's in another API. They're less mature though.
L
SiBell
commented
4 years ago Looks good to me.
Probably need to add another more niche method to the list: signed urls, e.g. for serving sensitive images to only those with sufficient rights.
lukeshope
commented
4 years ago Agree we need a mechanism for that also. I think JWTs are IRI-safe, even though long, and could be passed as query parameters instead of headers.
Any thoughts on what methods of authentication we should be incorporating?
This is less for the general public, who I assume we'll allow read-only rights to any public deployments, but more for team members and collaborators who will need to add/delete/update sensors, platforms, etc etc.
In the past I've tended to use JSON Web Tokens, adding a token to the Authorization header.
API Keys are another option. In the past I've setup APIs that support both. Could do it again here...?