Recently there's been much discussion about clients that seems to assume the
client will be a full-featured web browser, and that makes me a bit nervous. I
didn't imagine Open311 as having decided to use HTTP to enable straight posts
from HTTP user agents, but to facilitate rapid development.
For authentication, what if device_id were treated more like an identification
*and* access token? Perhaps all that would be needed is for read request
methods like GET /requests.[format] to take device_id as an optional argument.
If you wanted to use a fat client, you'd just need to obtain/discover the
user's ID and feed their client the appropriate device_id. All the
authentication would be encompassed within the spec -- instead of some
endpoints expecting session cookies, others expecting SSL/TLS client certs,
others maybe even expecting something like HTTP Basic Auth credentials.
It might be nice to improve this with something like Message Digest auth
implemented such that classic web clients could sign requests with client-side
JS -- but how do you all feel about the basic notion of trying to put a generic
ID & authentication mechanism into the core spec in hopes of keeping us all on
the same page?
client will be a full-featured web browser, and that makes me a bit nervous. I
didn't imagine Open311 as having decided to use HTTP to enable straight posts
from HTTP user agents, but to facilitate rapid development.
For authentication, what if device_id were treated more like an identification
*and* access token? Perhaps all that would be needed is for read request
methods like GET /requests.[format] to take device_id as an optional argument.
If you wanted to use a fat client, you'd just need to obtain/discover the
user's ID and feed their client the appropriate device_id. All the
authentication would be encompassed within the spec -- instead of some
endpoints expecting session cookies, others expecting SSL/TLS client certs,
others maybe even expecting something like HTTP Basic Auth credentials.
It might be nice to improve this with something like Message Digest auth
implemented such that classic web clients could sign requests with client-side
JS -- but how do you all feel about the basic notion of trying to put a generic
ID & authentication mechanism into the core spec in hopes of keeping us all on
the same page?