Re: API query
Hi
On 20/02/13 19:16, Sergey Beryozkin wrote:
I wonder if
"GET /users?username={username}&pwd={password}"
is safe enough, as these URIs might get cached somewhere given it is GET
(though not sure if the caching of URIs can happen with HTTPS).
Might make sense considering treating this as an action request, with
the credentials being POSTed to /users resource and expecting a
validated user rep back,
Sorry, not replying directly to Jan's response the other day where he
recommended to use a Cache directive to disable the caching of the data,
I can not find it in my mail box :-)
I'm looking at the possible use of OAuth2 bearer tokens within URI query
components, and can see the people warning of the possible 'leaks' of
these potentially sensitive query data in the logs. Whether it is a
concern or not for Syncope I'm not sure, but thought I'd mention it FYI
Cheers, Sergey
On 20/02/13 16:06, Colm O hEigeartaigh wrote:
A second thought is that a API to return the User matching the given
username + password would be quite nice, unless there is another way of
doing this that I am missing. WDYT?
Colm.
On Wed, Feb 20, 2013 at 4:04 PM, Colm O
hEigeartaighwrote:
Thanks Jan, I have updated it. The "old" API method returns "null" if
the
User does not exist, whereas the new API does not seem to return
anything.
Would it not be better in both cases to return "false" explicitly? Or
are
there backwards compatilbity concerns about changing this?
Colm.
On Wed, Feb 20, 2013 at 4:00 PM, Jan
Bernhardtwrote:
Hi Colm,
The description is wrong, this method returns a boolean.
Best regards.
Jan
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Mittwoch, 20. Februar 2013 16:48
To: dev@syncope.apache.org
Subject: API query
Hi all,
From the wiki:
https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
RESTAPIupgrade-UserService
GET /user/verifyPassword/{username}?password={password} GET
/users?username={username}&pwd={password} Returns user if username
and password match with an existing account.
This method actually returns a boolean not the user, and so the
description is
invalid.
Could someone clarify whether the new API is intended to return a
boolean
or the User?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: API query
Thanks for the feedback Jan, here is the JIRA:
https://issues.apache.org/jira/browse/SYNCOPE-324
Colm.
On Thu, Feb 21, 2013 at 12:46 PM, Jan Bernhardt wrote:
> Hi Colm,
>
> +1 for returning user instead of Boolean for authentication process. I
> wasn't happy about the current handling anyway, since URL pattern did not
> reflect a different response type. This way username and password can be
> seen as "search queries" for a user with matching username and password. If
> authentication is successful we should return 200 OK, if authentication
> fails we should return 404 NOT FOUND.
>
> This way we could support both GET for returning matching user (including
> roles) or HEAD if only Authentication result (TRUE : 200 or FALSE : 404) is
> required.
>
> Applying these changes should be relatively easy. If no other syncope
> users raise concerns about this, you can create a JIRA issue for this.
>
> And we should also take Sergeys comment into account and disable caching
> for this authentication URL.
>
> Best regards.
> Jan
>
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Mittwoch, 20. Februar 2013 17:06
> > To: Jan Bernhardt
> > Cc: dev@syncope.apache.org
> > Subject: Re: API query
> >
> > A second thought is that a API to return the User matching the given
> > username + password would be quite nice, unless there is another way of
> > doing this that I am missing. WDYT?
> >
> > Colm.
> >
> > On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh
> > wrote:
> >
> > >
> > > Thanks Jan, I have updated it. The "old" API method returns "null" if
> > > the User does not exist, whereas the new API does not seem to return
> > anything.
> > > Would it not be better in both cases to return "false" explicitly? Or
> > > are there backwards compatilbity concerns about changing this?
> > >
> > > Colm.
> > >
> > >
> > > On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt
> > wrote:
> > >
> > >> Hi Colm,
> > >>
> > >> The description is wrong, this method returns a boolean.
> > >>
> > >> Best regards.
> > >> Jan
> > >>
> > >> > -Original Message-
> > >> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > >> > Sent: Mittwoch, 20. Februar 2013 16:48
> > >> > To: dev@syncope.apache.org
> > >> > Subject: API query
> > >> >
> > >> > Hi all,
> > >> >
> > >> > From the wiki:
> > >> >
> > >> >
> > https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrad
> > >> > e#
> > >> > RESTAPIupgrade-UserService
> > >> >
> > >> > GET /user/verifyPassword/{username}?password={password} GET
> > >> > /users?username={username}&pwd={password} Returns user if
> > username
> > >> > and password match with an existing account.
> > >> > This method actually returns a boolean not the user, and so the
> > >> description is
> > >> > invalid.
> > >> >
> > >> > Could someone clarify whether the new API is intended to return a
> > >> boolean
> > >> > or the User?
> > >> >
> > >> > Colm.
> > >> >
> > >> >
> > >> > --
> > >> > Colm O hEigeartaigh
> > >> >
> > >> > Talend Community Coder
> > >> > http://coders.talend.com
> > >>
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: API query
Hi Colm,
+1 for returning user instead of Boolean for authentication process. I wasn't
happy about the current handling anyway, since URL pattern did not reflect a
different response type. This way username and password can be seen as "search
queries" for a user with matching username and password. If authentication is
successful we should return 200 OK, if authentication fails we should return
404 NOT FOUND.
This way we could support both GET for returning matching user (including
roles) or HEAD if only Authentication result (TRUE : 200 or FALSE : 404) is
required.
Applying these changes should be relatively easy. If no other syncope users
raise concerns about this, you can create a JIRA issue for this.
And we should also take Sergeys comment into account and disable caching for
this authentication URL.
Best regards.
Jan
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Mittwoch, 20. Februar 2013 17:06
> To: Jan Bernhardt
> Cc: dev@syncope.apache.org
> Subject: Re: API query
>
> A second thought is that a API to return the User matching the given
> username + password would be quite nice, unless there is another way of
> doing this that I am missing. WDYT?
>
> Colm.
>
> On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh
> wrote:
>
> >
> > Thanks Jan, I have updated it. The "old" API method returns "null" if
> > the User does not exist, whereas the new API does not seem to return
> anything.
> > Would it not be better in both cases to return "false" explicitly? Or
> > are there backwards compatilbity concerns about changing this?
> >
> > Colm.
> >
> >
> > On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt
> wrote:
> >
> >> Hi Colm,
> >>
> >> The description is wrong, this method returns a boolean.
> >>
> >> Best regards.
> >> Jan
> >>
> >> > -Original Message-
> >> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> >> > Sent: Mittwoch, 20. Februar 2013 16:48
> >> > To: dev@syncope.apache.org
> >> > Subject: API query
> >> >
> >> > Hi all,
> >> >
> >> > From the wiki:
> >> >
> >> >
> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrad
> >> > e#
> >> > RESTAPIupgrade-UserService
> >> >
> >> > GET /user/verifyPassword/{username}?password={password} GET
> >> > /users?username={username}&pwd={password} Returns user if
> username
> >> > and password match with an existing account.
> >> > This method actually returns a boolean not the user, and so the
> >> description is
> >> > invalid.
> >> >
> >> > Could someone clarify whether the new API is intended to return a
> >> boolean
> >> > or the User?
> >> >
> >> > Colm.
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: API query
I wonder if
"GET /users?username={username}&pwd={password}"
is safe enough, as these URIs might get cached somewhere given it is GET
(though not sure if the caching of URIs can happen with HTTPS).
Might make sense considering treating this as an action request, with
the credentials being POSTed to /users resource and expecting a
validated user rep back,
Cheers, Sergey
On 20/02/13 16:06, Colm O hEigeartaigh wrote:
A second thought is that a API to return the User matching the given
username + password would be quite nice, unless there is another way of
doing this that I am missing. WDYT?
Colm.
On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaighwrote:
Thanks Jan, I have updated it. The "old" API method returns "null" if the
User does not exist, whereas the new API does not seem to return anything.
Would it not be better in both cases to return "false" explicitly? Or are
there backwards compatilbity concerns about changing this?
Colm.
On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardtwrote:
Hi Colm,
The description is wrong, this method returns a boolean.
Best regards.
Jan
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Mittwoch, 20. Februar 2013 16:48
To: dev@syncope.apache.org
Subject: API query
Hi all,
From the wiki:
https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
RESTAPIupgrade-UserService
GET /user/verifyPassword/{username}?password={password} GET
/users?username={username}&pwd={password} Returns user if username
and password match with an existing account.
This method actually returns a boolean not the user, and so the
description is
invalid.
Could someone clarify whether the new API is intended to return a
boolean
or the User?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: API query
A second thought is that a API to return the User matching the given
username + password would be quite nice, unless there is another way of
doing this that I am missing. WDYT?
Colm.
On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh wrote:
>
> Thanks Jan, I have updated it. The "old" API method returns "null" if the
> User does not exist, whereas the new API does not seem to return anything.
> Would it not be better in both cases to return "false" explicitly? Or are
> there backwards compatilbity concerns about changing this?
>
> Colm.
>
>
> On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt wrote:
>
>> Hi Colm,
>>
>> The description is wrong, this method returns a boolean.
>>
>> Best regards.
>> Jan
>>
>> > -Original Message-
>> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> > Sent: Mittwoch, 20. Februar 2013 16:48
>> > To: dev@syncope.apache.org
>> > Subject: API query
>> >
>> > Hi all,
>> >
>> > From the wiki:
>> >
>> > https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
>> > RESTAPIupgrade-UserService
>> >
>> > GET /user/verifyPassword/{username}?password={password} GET
>> > /users?username={username}&pwd={password} Returns user if username
>> > and password match with an existing account.
>> > This method actually returns a boolean not the user, and so the
>> description is
>> > invalid.
>> >
>> > Could someone clarify whether the new API is intended to return a
>> boolean
>> > or the User?
>> >
>> > Colm.
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: API query
Thanks Jan, I have updated it. The "old" API method returns "null" if the
User does not exist, whereas the new API does not seem to return anything.
Would it not be better in both cases to return "false" explicitly? Or are
there backwards compatilbity concerns about changing this?
Colm.
On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt wrote:
> Hi Colm,
>
> The description is wrong, this method returns a boolean.
>
> Best regards.
> Jan
>
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Mittwoch, 20. Februar 2013 16:48
> > To: dev@syncope.apache.org
> > Subject: API query
> >
> > Hi all,
> >
> > From the wiki:
> >
> > https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
> > RESTAPIupgrade-UserService
> >
> > GET /user/verifyPassword/{username}?password={password} GET
> > /users?username={username}&pwd={password} Returns user if username
> > and password match with an existing account.
> > This method actually returns a boolean not the user, and so the
> description is
> > invalid.
> >
> > Could someone clarify whether the new API is intended to return a boolean
> > or the User?
> >
> > Colm.
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: API query
Hi Colm,
The description is wrong, this method returns a boolean.
Best regards.
Jan
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Mittwoch, 20. Februar 2013 16:48
> To: dev@syncope.apache.org
> Subject: API query
>
> Hi all,
>
> From the wiki:
>
> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
> RESTAPIupgrade-UserService
>
> GET /user/verifyPassword/{username}?password={password} GET
> /users?username={username}&pwd={password} Returns user if username
> and password match with an existing account.
> This method actually returns a boolean not the user, and so the description is
> invalid.
>
> Could someone clarify whether the new API is intended to return a boolean
> or the User?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
