Authorization actions header

49 views
Skip to first unread message

Pim Kartner

unread,
Jun 8, 2016, 6:08:56 AM6/8/16
to Siren Hypermedia
Hi, we are currently setting up a siren API. For authorization we have defined a few actions on the root entity. It is possible to have the fields in this action (username password) encoded through application/json and this would work fine. 

We however want to have these actions encoded in the header under the authorization key. What would be a good way to handle this? What encoding type would you specify for the header?

I would appreciate any insight you can provide.

Kevin Swiber

unread,
Jun 16, 2016, 12:56:19 PM6/16/16
to Siren Hypermedia
Hey Pim,

There's currently no Siren-specific way to indicate an action field should be submitted in a header.  I usually don't include an action for authorization.  If you wanted to do it this way, the best thing to do would be to indicate your desire for using the header in the documentation for the action.  Bear in mind that generic Siren clients may not support this and that you may have to make an exception for this particular action.


Cheers,

Kevin

--
You received this message because you are subscribed to the Google Groups "Siren Hypermedia" group.
To unsubscribe from this group and stop receiving emails from it, send an email to siren-hypermed...@googlegroups.com.
To post to this group, send email to siren-hy...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/siren-hypermedia/02f633b0-4497-416a-b06c-a78513fd735b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Pim Kartner

unread,
Jun 17, 2016, 6:08:58 AM6/17/16
to Siren Hypermedia
Hey Kevin,

Would you say it is better practice to handle it through the fields exposed by the action?

Kind regards,

Pim

Tom Howard

unread,
Jun 17, 2016, 7:12:53 AM6/17/16
to Siren Hypermedia
I would start by use the existing http protocols. If the client makes a request for a resource that requires authentication, then respond with a 401 and use the WWW-Authenticate header to tell the client how to authenticate.

If you want, you could also include a 401 like class on the actions and links that require authentication, to hint to clients that they will need to authenticate in order to use them. Clients that are happy to have a tighter coupling, could then preemptively provide an appropriate authorization header on requests to those resources and skip the 401.

Reply all
Reply to author
Forward
0 new messages