quarta-feira, 1 de novembro de 2023

OAuth in B2B

While exposing APIs for integration with 3rd party applications, if the security authorization option falls to OAuth authorization framework then the proper grant to use is the Client Credentials.


One should try to ensure that the partner application is confidential, id est, deployed in a secure environment with restricted access to the application client credentials.


Client authentication is used as the authorization grant, no additional authorization request is needed. The access token that allows the application to consume the resources (under the scope) is generated immediately with no further steps.


Diagram from: https://alexbilbie.github.io/guide-to-oauth-2-grants/

OAuth RFC: https://datatracker.ietf.org/doc/html/rfc6749#section-10.8





Publicada por à(s) Sem comentários:

segunda-feira, 30 de janeiro de 2023

Corporate alert notification SPAM

One thing that plagues modern companies is the misuse of alerting notifications. 

There are managers and run teams that every day receive hundreds of automated mails/SMS/mobile notifications. 

Is this meaningful in any manner? Do you believe that you can manage this amount of alerts in a proper manner? 

My view is that if you get any more than 1-3 alerts per day then this is not an alert it is either one of the following:

- A structural problem that needs to be fixed immediately  

- An incorrect notification set up that is meaningless for your business

For mail channel a good symptom that your alert notification is meaningless is if you create (or feel that you can create) a separate inbox for it with an automated rule. 

Alert notification should be only used for high priority and critical issues, otherwise it is best to build a nice dashboard that you can consult various times throughout the day. 


Publicada por à(s) Sem comentários:

sexta-feira, 27 de janeiro de 2023

HTTP versioning

 What option are out there for Versioning in HTTP?


  1. media type versioning -> header accept:application/vnd.service.v2+json
  2. headers versioning -> custom header apiVersion=1
  3. URI versioning -> the version goes in the uri path /v1/uri
  4. request parameter versioning  -> the version goes in a argument  server/uri?version=1
The first two reduce the URI pollution. They might not work if client is behind a proxy that potentially blocks some headers of the HTTP request.
The bottom two allow caching and bookmarking. 

Easy choice it's to stick to bottom ones, more academic approach is to use top ones as one resource should have one and just one endpoint.

https://stackoverflow.com/questions/18905335/rest-versioning-url-vs-header
Publicada por à(s) Sem comentários:
Subscrever: Mensagens (Atom)