[OTDev] API modifications for A&A
Andreas Maunz andreas at maunz.deWed May 5 15:10:33 CEST 2010
- Previous message: [OTDev] API modifications for A&A
- Next message: [OTDev] Bayesian Nets
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nina Jeliazkova wrote on 05/05/2010 02:23 PM: > Andreas Maunz wrote: >> Nina Jeliazkova wrote on 05/05/2010 02:13 PM: >>> Andreas Maunz wrote: >>>> Personally, I am fine with end of May. Just wanted to give you an >>>> update. >>>> This also gives me some time to move the server to a dedicated >>>> environment. >>> OK. Without looking /testing anything in AA, my wish list includes AA >>> API as generic as possible, in order to accommodate solutions other than >>> OpenSSO in future, by just changing the URL of token provider. >> >> Sure, I agree! > Great! > > BTW, could you evaluate /summarize what are pros/cons for having the AA > token in a custom HTTP header, vs. into URL (URL length for example) ? > What is the recommended practice? Pros of token in query string: - Can easily pass URLs with working token around Cons of token in query string: - Need to URL-encode the token string - URL gets longer - Token is the key for access. Using it in URL might be risky. Using it in a header is safe when using SSL (correct?). There is no general rule for usage in practice. For example, Google supports both (http://code.google.com/apis/gdata/docs/auth/overview.html), while OpenSSO uses URL query string fields. Perhaps we could also support both, at least between client and webservice. Regards Andreas
- Previous message: [OTDev] API modifications for A&A
- Next message: [OTDev] Bayesian Nets
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list