Py4Web "tags" should be SCOPES

[Kevin Keller]

Hey, 

I would like to suggest, that if Py4Web is supposed to be an API first framework that it adheres to 

modern auth standards right out of the gate. 

Apart from having the ability to provide JWT access tokens and more Oauth2 plugins then just facebook and google ( all things I started to work on)

I think we need to to think in terms of scopes when it comes to access management instead of "tags" for access authorization. 

It is pretty much the same thing, but using the the term scopes and adhering to the oauth2 terms and philosophy will make it 

easier for programmers to understand how to secure APIs created with py4web faster. 

We also need to the ability to properly parse JWT tokens so that scopes included in the token can be matched to what is now called py4web "tags" 

for data authorization. Also, we should be easily able to validate JWT tokens offline.

Plus py4web, if it wants to play the API game, needs to be able to extract claims from a JWT token in order to contextualize an API call easily. 

I think I have my work cut out for me, but just putting it out there, in the hope I can garner some support and understanding for this idea/approach

and maybe someone wants to also help out with this who understands API design and OIDC/Oauth2. 

Maybe we can use some library the is there i.e.:

https://requests-oauthlib.readthedocs.io/en/latest/index.html

and if want to mint our own JWT tokens for prototyping:

https://github.com/Refinitiv/bottle-oauthlib

I ll look into that, unless you have a better idea. 

[villas]

Hi Kevin

JWT seems to have everything we might need,  although I am not knowledgable enough to really help in implementing it.

However, perhaps you know whether there is a documented way for py4web to generate and verify signed urls?  (Hopefully with expiry). 

If at least that mechanism existed,  I would be able to start writing the app I have in mind,  without having to invent my own method.

Thanks for your efforts in trying to create JWT funcionality!

[Christian Varas]

About the signed URLs, is already implemented on this pull request 

https://github.com/web2py/py4web/pull/114

I haven’t tried yet.

Cheers.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/dc6d8b74-e684-4365-b75e-563c384d7c9a%40googlegroups.com.