API query

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

API query

Colm O hEigeartaigh
Hi all,

From the wiki:

https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#RESTAPIupgrade-UserService

GET /user/verifyPassword/{username}?password={password}  GET
/users?username={username}&pwd={password}  Returns user if username and
password match with an existing account.
This method actually returns a boolean not the user, and so the description
is invalid.

Could someone clarify whether the new API is intended to return a boolean
or the User?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: API query

Jan Bernhardt
Hi Colm,

The description is wrong, this method returns a boolean.

Best regards.
Jan

> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[hidden email]]
> Sent: Mittwoch, 20. Februar 2013 16:48
> To: [hidden email]
> Subject: API query
>
> Hi all,
>
> From the wiki:
>
> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
> RESTAPIupgrade-UserService
>
> GET /user/verifyPassword/{username}?password={password}  GET
> /users?username={username}&pwd={password}  Returns user if username
> and password match with an existing account.
> This method actually returns a boolean not the user, and so the description is
> invalid.
>
> Could someone clarify whether the new API is intended to return a boolean
> or the User?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: API query

Colm O hEigeartaigh
Thanks Jan, I have updated it. The "old" API method returns "null" if the
User does not exist, whereas the new API does not seem to return anything.
Would it not be better in both cases to return "false" explicitly? Or are
there backwards compatilbity concerns about changing this?

Colm.

On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt <[hidden email]>wrote:

> Hi Colm,
>
> The description is wrong, this method returns a boolean.
>
> Best regards.
> Jan
>
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:[hidden email]]
> > Sent: Mittwoch, 20. Februar 2013 16:48
> > To: [hidden email]
> > Subject: API query
> >
> > Hi all,
> >
> > From the wiki:
> >
> > https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
> > RESTAPIupgrade-UserService
> >
> > GET /user/verifyPassword/{username}?password={password}  GET
> > /users?username={username}&pwd={password}  Returns user if username
> > and password match with an existing account.
> > This method actually returns a boolean not the user, and so the
> description is
> > invalid.
> >
> > Could someone clarify whether the new API is intended to return a boolean
> > or the User?
> >
> > Colm.
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: API query

Colm O hEigeartaigh
A second thought is that a API to return the User matching the given
username + password would be quite nice, unless there is another way of
doing this that I am missing. WDYT?

Colm.

On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh <[hidden email]>wrote:

>
> Thanks Jan, I have updated it. The "old" API method returns "null" if the
> User does not exist, whereas the new API does not seem to return anything.
> Would it not be better in both cases to return "false" explicitly? Or are
> there backwards compatilbity concerns about changing this?
>
> Colm.
>
>
> On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt <[hidden email]>wrote:
>
>> Hi Colm,
>>
>> The description is wrong, this method returns a boolean.
>>
>> Best regards.
>> Jan
>>
>> > -----Original Message-----
>> > From: Colm O hEigeartaigh [mailto:[hidden email]]
>> > Sent: Mittwoch, 20. Februar 2013 16:48
>> > To: [hidden email]
>> > Subject: API query
>> >
>> > Hi all,
>> >
>> > From the wiki:
>> >
>> > https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
>> > RESTAPIupgrade-UserService
>> >
>> > GET /user/verifyPassword/{username}?password={password}  GET
>> > /users?username={username}&pwd={password}  Returns user if username
>> > and password match with an existing account.
>> > This method actually returns a boolean not the user, and so the
>> description is
>> > invalid.
>> >
>> > Could someone clarify whether the new API is intended to return a
>> boolean
>> > or the User?
>> >
>> > Colm.
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: API query

Sergey Beryozkin
I wonder if

"GET /users?username={username}&pwd={password}"

is safe enough, as these URIs might get cached somewhere given it is GET
(though not sure if the caching of URIs can happen with HTTPS).

Might make sense considering treating this as an action request, with
the credentials being POSTed to /users resource and expecting a
validated user rep back,

Cheers, Sergey



On 20/02/13 16:06, Colm O hEigeartaigh wrote:

> A second thought is that a API to return the User matching the given
> username + password would be quite nice, unless there is another way of
> doing this that I am missing. WDYT?
>
> Colm.
>
> On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh<[hidden email]>wrote:
>
>>
>> Thanks Jan, I have updated it. The "old" API method returns "null" if the
>> User does not exist, whereas the new API does not seem to return anything.
>> Would it not be better in both cases to return "false" explicitly? Or are
>> there backwards compatilbity concerns about changing this?
>>
>> Colm.
>>
>>
>> On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt<[hidden email]>wrote:
>>
>>> Hi Colm,
>>>
>>> The description is wrong, this method returns a boolean.
>>>
>>> Best regards.
>>> Jan
>>>
>>>> -----Original Message-----
>>>> From: Colm O hEigeartaigh [mailto:[hidden email]]
>>>> Sent: Mittwoch, 20. Februar 2013 16:48
>>>> To: [hidden email]
>>>> Subject: API query
>>>>
>>>> Hi all,
>>>>
>>>>  From the wiki:
>>>>
>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
>>>> RESTAPIupgrade-UserService
>>>>
>>>> GET /user/verifyPassword/{username}?password={password}  GET
>>>> /users?username={username}&pwd={password}  Returns user if username
>>>> and password match with an existing account.
>>>> This method actually returns a boolean not the user, and so the
>>> description is
>>>> invalid.
>>>>
>>>> Could someone clarify whether the new API is intended to return a
>>> boolean
>>>> or the User?
>>>>
>>>> Colm.
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
>


--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com
Reply | Threaded
Open this post in threaded view
|

RE: API query

Jan Bernhardt
In reply to this post by Colm O hEigeartaigh
Hi Colm,

+1 for returning user instead of Boolean for authentication process. I wasn't happy about the current handling anyway, since URL pattern did not reflect a different response type. This way username and password can be seen as "search queries" for a user with matching username and password. If authentication is successful we should return 200 OK, if authentication fails we should return 404 NOT FOUND.

This way we could support both GET for returning matching user (including roles) or HEAD if only Authentication result (TRUE : 200 or FALSE : 404) is required.

Applying these changes should be relatively easy. If no other syncope users raise concerns about this, you can create a JIRA issue for this.

And we should also take Sergeys comment into account and disable caching for this authentication URL.

Best regards.
Jan

> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[hidden email]]
> Sent: Mittwoch, 20. Februar 2013 17:06
> To: Jan Bernhardt
> Cc: [hidden email]
> Subject: Re: API query
>
> A second thought is that a API to return the User matching the given
> username + password would be quite nice, unless there is another way of
> doing this that I am missing. WDYT?
>
> Colm.
>
> On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh
> <[hidden email]>wrote:
>
> >
> > Thanks Jan, I have updated it. The "old" API method returns "null" if
> > the User does not exist, whereas the new API does not seem to return
> anything.
> > Would it not be better in both cases to return "false" explicitly? Or
> > are there backwards compatilbity concerns about changing this?
> >
> > Colm.
> >
> >
> > On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt
> <[hidden email]>wrote:
> >
> >> Hi Colm,
> >>
> >> The description is wrong, this method returns a boolean.
> >>
> >> Best regards.
> >> Jan
> >>
> >> > -----Original Message-----
> >> > From: Colm O hEigeartaigh [mailto:[hidden email]]
> >> > Sent: Mittwoch, 20. Februar 2013 16:48
> >> > To: [hidden email]
> >> > Subject: API query
> >> >
> >> > Hi all,
> >> >
> >> > From the wiki:
> >> >
> >> >
> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrad
> >> > e#
> >> > RESTAPIupgrade-UserService
> >> >
> >> > GET /user/verifyPassword/{username}?password={password}  GET
> >> > /users?username={username}&pwd={password}  Returns user if
> username
> >> > and password match with an existing account.
> >> > This method actually returns a boolean not the user, and so the
> >> description is
> >> > invalid.
> >> >
> >> > Could someone clarify whether the new API is intended to return a
> >> boolean
> >> > or the User?
> >> >
> >> > Colm.
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: API query

Colm O hEigeartaigh
Thanks for the feedback Jan, here is the JIRA:

https://issues.apache.org/jira/browse/SYNCOPE-324

Colm.

On Thu, Feb 21, 2013 at 12:46 PM, Jan Bernhardt <[hidden email]>wrote:

> Hi Colm,
>
> +1 for returning user instead of Boolean for authentication process. I
> wasn't happy about the current handling anyway, since URL pattern did not
> reflect a different response type. This way username and password can be
> seen as "search queries" for a user with matching username and password. If
> authentication is successful we should return 200 OK, if authentication
> fails we should return 404 NOT FOUND.
>
> This way we could support both GET for returning matching user (including
> roles) or HEAD if only Authentication result (TRUE : 200 or FALSE : 404) is
> required.
>
> Applying these changes should be relatively easy. If no other syncope
> users raise concerns about this, you can create a JIRA issue for this.
>
> And we should also take Sergeys comment into account and disable caching
> for this authentication URL.
>
> Best regards.
> Jan
>
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:[hidden email]]
> > Sent: Mittwoch, 20. Februar 2013 17:06
> > To: Jan Bernhardt
> > Cc: [hidden email]
> > Subject: Re: API query
> >
> > A second thought is that a API to return the User matching the given
> > username + password would be quite nice, unless there is another way of
> > doing this that I am missing. WDYT?
> >
> > Colm.
> >
> > On Wed, Feb 20, 2013 at 4:04 PM, Colm O hEigeartaigh
> > <[hidden email]>wrote:
> >
> > >
> > > Thanks Jan, I have updated it. The "old" API method returns "null" if
> > > the User does not exist, whereas the new API does not seem to return
> > anything.
> > > Would it not be better in both cases to return "false" explicitly? Or
> > > are there backwards compatilbity concerns about changing this?
> > >
> > > Colm.
> > >
> > >
> > > On Wed, Feb 20, 2013 at 4:00 PM, Jan Bernhardt
> > <[hidden email]>wrote:
> > >
> > >> Hi Colm,
> > >>
> > >> The description is wrong, this method returns a boolean.
> > >>
> > >> Best regards.
> > >> Jan
> > >>
> > >> > -----Original Message-----
> > >> > From: Colm O hEigeartaigh [mailto:[hidden email]]
> > >> > Sent: Mittwoch, 20. Februar 2013 16:48
> > >> > To: [hidden email]
> > >> > Subject: API query
> > >> >
> > >> > Hi all,
> > >> >
> > >> > From the wiki:
> > >> >
> > >> >
> > https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrad
> > >> > e#
> > >> > RESTAPIupgrade-UserService
> > >> >
> > >> > GET /user/verifyPassword/{username}?password={password}  GET
> > >> > /users?username={username}&pwd={password}  Returns user if
> > username
> > >> > and password match with an existing account.
> > >> > This method actually returns a boolean not the user, and so the
> > >> description is
> > >> > invalid.
> > >> >
> > >> > Could someone clarify whether the new API is intended to return a
> > >> boolean
> > >> > or the User?
> > >> >
> > >> > Colm.
> > >> >
> > >> >
> > >> > --
> > >> > Colm O hEigeartaigh
> > >> >
> > >> > Talend Community Coder
> > >> > http://coders.talend.com
> > >>
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: API query

Sergey Beryozkin
In reply to this post by Sergey Beryozkin
Hi
On 20/02/13 19:16, Sergey Beryozkin wrote:

> I wonder if
>
> "GET /users?username={username}&pwd={password}"
>
> is safe enough, as these URIs might get cached somewhere given it is GET
> (though not sure if the caching of URIs can happen with HTTPS).
>
> Might make sense considering treating this as an action request, with
> the credentials being POSTed to /users resource and expecting a
> validated user rep back,
>

Sorry, not replying directly to Jan's response the other day where he
recommended to use a Cache directive to disable the caching of the data,
I can not find it in my mail box :-)

I'm looking at the possible use of OAuth2 bearer tokens within URI query
components, and can see the people warning of the possible 'leaks' of
these potentially sensitive query data in the logs. Whether it is a
concern or not for Syncope I'm not sure, but thought I'd mention it FYI

Cheers, Sergey

>
>
> On 20/02/13 16:06, Colm O hEigeartaigh wrote:
>> A second thought is that a API to return the User matching the given
>> username + password would be quite nice, unless there is another way of
>> doing this that I am missing. WDYT?
>>
>> Colm.
>>
>> On Wed, Feb 20, 2013 at 4:04 PM, Colm O
>> hEigeartaigh<[hidden email]>wrote:
>>
>>>
>>> Thanks Jan, I have updated it. The "old" API method returns "null" if
>>> the
>>> User does not exist, whereas the new API does not seem to return
>>> anything.
>>> Would it not be better in both cases to return "false" explicitly? Or
>>> are
>>> there backwards compatilbity concerns about changing this?
>>>
>>> Colm.
>>>
>>>
>>> On Wed, Feb 20, 2013 at 4:00 PM, Jan
>>> Bernhardt<[hidden email]>wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> The description is wrong, this method returns a boolean.
>>>>
>>>> Best regards.
>>>> Jan
>>>>
>>>>> -----Original Message-----
>>>>> From: Colm O hEigeartaigh [mailto:[hidden email]]
>>>>> Sent: Mittwoch, 20. Februar 2013 16:48
>>>>> To: [hidden email]
>>>>> Subject: API query
>>>>>
>>>>> Hi all,
>>>>>
>>>>> From the wiki:
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
>>>>> RESTAPIupgrade-UserService
>>>>>
>>>>> GET /user/verifyPassword/{username}?password={password} GET
>>>>> /users?username={username}&pwd={password} Returns user if username
>>>>> and password match with an existing account.
>>>>> This method actually returns a boolean not the user, and so the
>>>> description is
>>>>> invalid.
>>>>>
>>>>> Could someone clarify whether the new API is intended to return a
>>>> boolean
>>>>> or the User?
>>>>>
>>>>> Colm.
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>>
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>>
>
>