API Rest authenticatio

[samuel bonill]

is there an example of API Rest authentication based in private/public key with web2py??
i don't want use username and password tokens for each request

[Samuel Marks]

Sure, take a look at x509 at http://web2py.com/books/default/chapter/29/09/access-control

Samuel Marks
http://linkedin.com/in/samuelmarks

On Sat, Apr 26, 2014 at 12:33 PM, samuel bonill <pytho...@gmail.com> wrote:

is there an example of API Rest authentication based in private/public key with web2py??
i don't want use username and password tokens for each request

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[samuel bonill]

thanks Marks, i'm using phonegap(android, iOS) as my client and angularjs consume the API Rest.
x509 its grate but, work x509 on app engine ?,  or what do you think about use Oauth 2.0 ?

You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/lXfe0tpGi8U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

[Samuel Marks]

I'm a big RFC6749 fan

Quite simple; and you can implement your own custom grant for e.g.: higher security using x509 certificates.

Samuel Marks
http://linkedin.com/in/samuelmarks

[Christian Foster Howes]

i have an oauth implementation that i used on app engine.  i can try and clean it up a touch and share it if you would like.

cfh

On Saturday, April 26, 2014 7:05:55 AM UTC-7, samuel bonill wrote:

thanks Marks, i'm using phonegap(android, iOS) as my client and angularjs consume the API Rest.
x509 its grate but, work x509 on app engine ?,  or what do you think about use Oauth 2.0 ?

2014-04-25 21:41 GMT-05:00 Samuel Marks <samue...@gmail.com>:

Sure, take a look at x509 at http://web2py.com/books/default/chapter/29/09/access-control

Samuel Marks
http://linkedin.com/in/samuelmarks

On Sat, Apr 26, 2014 at 12:33 PM, samuel bonill <pytho...@gmail.com> wrote:

is there an example of API Rest authentication based in private/public key with web2py??
i don't want use username and password tokens for each request

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---

You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/lXfe0tpGi8U/unsubscribe.

To unsubscribe from this group and all its topics, send an email to web2py+unsubscribe@googlegroups.com.

[samuel bonill]

Yes Christian, I'd like take a look...

To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

[Christian Foster Howes]

attached is our auth code.  i made a few minor adjustments to remove some things that are specific to our app - hopefully it still runs.

note that we use this as a decorator to controller methods.

On Saturday, April 26, 2014 6:09:13 PM UTC-7, samuel bonill wrote:

Yes Christian, I'd like take a look...

To unsubscribe from this group and all its topics, send an email to web2py+unsubscribe@googlegroups.com.

[samuel bonill]

Thanks Christian...

To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

[Dave S]

On Saturday, April 26, 2014 7:20:02 AM UTC-7, Samuel Marks wrote:

I'm a big RFC6749 fan

Quite simple; and you can implement your own custom grant for e.g.: higher security using x509 certificates.

Is there a handy link to a good discussion of that?

I was concerned by the arguments from
<http://hueniverse.com/2010/09/15/oauth-2-0-without-signatures-is-bad-for-the-web/>
so I'm wondering how to improve on WRAP  (and hoping it's been done, and I just have to follow the recipe).

Not that I'm ready to provide a discoverable API, but I've already used up a few corners in painting myself into.

/dps

[Leonel Câmara]

How do you save API authentication credentials on a phonegap application? How do you prevent people from stealing them?

[Samuel Marks]

User credentials grant flow with expiring and manually invalidatable tokens (I implemented it as logging out from one device logs you out everywhere)

Samuel Marks
http://linkedin.com/in/samuelmarks

On 29/04/2014 4:38 pm, "Leonel Câmara" <leonel...@gmail.com> wrote:

How do you save API authentication credentials on a phonegap application? How do you prevent people from stealing them?

--

Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.

[Leonel Câmara]

Oh the users themselves login. I was interested in knowing if you had a solution to store API tokens, the same way you need to store API keys for google and facebook as right now I don't see how I can safely put them in the mobile app and I have to use my server as a middleman. The point also being to prevent other people from using your API.

[samuel bonill]

my solution to store access tokens, i use angularjs on a phonegap application to store the access tokens, based on this article :

https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

example :

$http
      .post('/default/api/users', $scope.user)
      .success(function (data, status, headers, config) {
        $window.sessionStorage.token = data.token;
        $scope.message = 'Welcome';
      })

2014-04-29 8:41 GMT-05:00 Leonel Câmara <leonel...@gmail.com>:

Oh the users themselves login. I was interested in knowing if you had a solution to store API tokens, the same way you need to store API keys for google and facebook as right now I don't see how I can safely put them in the mobile app and I have to use my server as a middlemen. The point also being to prevent other people from using your API.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---

You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/lXfe0tpGi8U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

[Samuel Marks]

You should be using DI and throwing things into header defaults.

Otherwise you won't be promoting DRY.

Anyway, when you get to that point you move away from web2py (like I have done). Recommend checking out Bottle.

Samuel Marks
http://linkedin.com/in/samuelmarks

You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.