oauth scopes question
63 views
Skip to first unread message
Carlos Eberhardt
Nov 12, 2012, 10:37:24 AM11/12/12
to api-...@googlegroups.com
What do you all think about using oauth scopes to affect the response from a request?
For example, a person resource might have name, address, vital statics, criminal record, technical skills.
GET /dudes/thatduderightthere could be the single endpoint and method that's used to return a varying level of info based on oauth scope. His mom wouldn't see his criminal record, his lawyer would.
Part of me says hey, that's kind of cool. But most of me doesn't like it. Smells like trouble. Am I off base?
I'm sure there are pros/cons and this group seems like a great place to explore them. ;-)
Thanks,
Carlos
chris...@gmail.com
Nov 12, 2012, 12:12:42 PM11/12/12
to api-...@googlegroups.com
On Mon, 12 Nov 2012, Carlos Eberhardt wrote:
> GET /dudes/thatduderightthere could be the single endpoint and method
> that's used to return a varying level of info based on oauth scope. His mom
> wouldn't see his criminal record, his lawyer would.
>
> Part of me says hey, that's kind of cool. But most of me doesn't like it.
> Smells like trouble. Am I off base?
I think it's okay. /dudes/thatduerightthere is the URI of a resource.
> GET /dudes/thatduderightthere could be the single endpoint and method
> that's used to return a varying level of info based on oauth scope. His mom
> wouldn't see his criminal record, his lawyer would.
>
> Part of me says hey, that's kind of cool. But most of me doesn't like it.
> Smells like trouble. Am I off base?
It's always the same resource. That the representation is different
depending on context (such as auth scope) is okay and even good.
--
Chris Dent http://burningchrome.com/
[...]
Dolf Schimmel
Nov 12, 2012, 12:30:10 PM11/12/12
to api-...@googlegroups.com
If one were to use differerent representations for the same resource, please be sure to use appropriate accept headers for each representation. If you don't, I can guarantee a caching hell ;)
However, this wouldn't be my favorite implementaiton. You could say that the criminal records of a user are a collection by itself. Therefore, I'd personally prefer to use /dudes/dudeOne /dudes/dudeOne/criminalRecords, etc. This allows you to easily grow the information you supply about each user, while using HTTP response codes when someone tries to access information they're not allowed to access.
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group, send email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft?hl=en.
Reply all
Reply to author
Forward
0 new messages