On Wed, Nov 02, 2016 at 01:20:05PM +0100, Thomas von Dein wrote:
over a more modern API approach like Oauth2?
Well, "modern" is tomorrow's crab. So, be it Oauth2 or something else as long as it's secure, understandable, reliable and consistent.
Ok, since there are no responses, let me explain the comment more detailed. As far as I know, RIPE doesn't provide Oauth based login for API access yet, only password based authentication. We cannot use this, since we don't have a password set on our maintainer object and we don't intend to change this. PGP based authentication on the other hand is already implemented elsewhere with RIPE (autodbm), hence the suggestion to use it in the REST API as well. One more thing about Oauth: you'd need an external provider for authentication forwarding. Which? And why shall I introduce another entity into the process? Also, building our own provider just for updating objects doesn't make any sense. Also, it's insecure [1], at least as it's implemented currently on most sites. So, the easiest way to implement this would be (for example) to introduce a query parameter 'signature' which contains a base64-encoded PGP signature of the current POST-data, which could be verified by the backend. Or something like this. best regards, Tom 1) http://insanecoding.blogspot.de/2016/04/oauth-why-it-doesnt-work-and-how-to-... -- Thomas von Dein <admins@f-i-ts.net> Finanz Informatik Technologie Service GmbH & Co. KG, OE 76052 Tel:089/94511-8833, Fax:089/94511-8941, http://www.f-i-ts.net