Hi Tom,
I agree with the idea that we ultimately need a new place to store these
credentials: not in the workflow JSON, nor in the preferences, but
somewhere more hidden (with some basic encryption, just for the sake of
not having them in plain text).
I like the idea of storing these centrally, such that a single
credential entry could be used in multiple contexts (fetching URLs,
reconciliation, …) but I am concerned about the added complexity.
It is pretty common to see to different authentication methods used
within the same domain (API key, Cookie based, HTTP auth…) so I would
not expect this sharing to be useful that often. If we add support for
authentication in the reconciliation protocol, it is likely that it is
done in a way that is slightly incompatible with the current
authentication mechanisms in the web APIs offered alongside
reconciliation endpoints.
You have described how these credentials could be stored in the backend,
but for me it is not clear what the user experience looks like.
Say I register a new reconciliation service
https://foo.com/reconcile
which requires authentication. I am prompted for my API key (for
instance) which gets stored in the credentials store for
"
https://com.foo/reconcile". Later on, I want to fetch data from the
public API of the same service at
https://foo.com/api. What happens
here? If I do not specify any authentication, the API key for the
reconciliation endpoint will be reused by default, right? Now I see a
few problems with this:
- how will the user understand that they do not need to enter
credentials again here? They will basically need to understand the
underlying matching algorithm, right?
- what if this API does not actually need authentication and returns an
error when this extra parameter is supplied? The user did not supply any
authentication and obtains an error that will be difficult to understand
and circumvent, no?
- what about the case where the credentials are the same for the
reconciliation endpoint and the web API, but are passed in different ways?
- say I supply different credentials in the "fetch URL" operation. Which
key is going to be used to store them, since the URLs generally vary for
each row and might not even have a common prefix?
So I would go for a simpler system. Perhaps just a list of secrets,
stored as a simple key-value store (just like the preference store),
which the user could pick credentials from, in various contexts
(reconciliation, fetch URLs, others…). The credentials would be referred
to by their keys in the workflow JSON, and the operation itself would
retrieve the secret value from the store at runtime.
Even that is quite involved by itself - so if you are after
authentication support for reconciliation, perhaps it would be worth
adding support for that with our current naive credentials storage
(directly in the preferences, for instance), and improve it as a second
step?
Best,
Antonin
> --
> You received this message because you are subscribed to the Google
> Groups "OpenRefine Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
openrefine-de...@googlegroups.com
> <mailto:
openrefine-de...@googlegroups.com>.
> <
https://groups.google.com/d/msgid/openrefine-dev/CAE9vqEFOci5ACk5XR0XOZnYBU63-rbjjk_YqaJcAad7TAbi2SQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.