Hi,
I've been working with Hypermedia APIs recently (mostly with HAL) and what I like the most with that kind of APIs is the discoverability aspect: with only the root URL of the API, it is possible to navigate through resources by following links (with something like the HAL Browser/Navigator) without any prior knowledge.
Now, with HAL-Forms, it's even possible to declare the parameters/json-payload that must be sent with POST/PUT and generate forms dynamically on the client.
But there is still one aspect of APIs which seems to require out-of-band information: security. Once you have secured resources which require specific authorization tokens, discoverability stops.
I haven't (yet) found any *standard* way for the resource server to give the client the required information about what kind of authorization tokens it needs nor how to acquire one.
In contrast, for a standard server-side rendered app, things are easy: when the user needs to be authenticated, you respond with a WWW-Authenticate: Basic header or redirect the user to some login system and after authentication, a cookie is baked and voilà... but things seem so more complicated with SPAs + APIs.
Does anybody know if some initiatives exist in that matter? I would (naively) think of something in the like of:
>> GET /myApi/myProtectedResource
<< 401 Unauthorized
<< 200 OK
<< Content-Type: application/auths+json
<< {
<< "auths": [
<< {
<< "type": "OAuth2",
<< "flow": "authorization-code",
<< "href": "...",
<< ... /* specific parameters needed to initiate an authorization code flow */
<< },
<< {
<< "type": "OAuth2",
<< "flow": "authorization-code-pkce",
<< "href": "...",
<< ... /* specific parameters needed to initiate an authorization code with PKCE flow */
<< }
<< ]
<< }
Regards,
Xavier