Hey, I would like to suggest, that if Py4Web is supposed to be an API first framework that it adheres to modern auth standards right out of the gate.
Apart from having the ability to provide JWT access tokens and more Oauth2 plugins then just facebook and google ( all things I started to work on) I think we need to to think in terms of scopes when it comes to access management instead of "tags" for access authorization. It is pretty much the same thing, but using the the term scopes and adhering to the oauth2 terms and philosophy will make it easier for programmers to understand how to secure APIs created with py4web faster. We also need to the ability to properly parse JWT tokens so that scopes included in the token can be matched to what is now called py4web "tags" for data authorization. Also, we should be easily able to validate JWT tokens offline. Plus py4web, if it wants to play the API game, needs to be able to extract claims from a JWT token in order to contextualize an API call easily. I think I have my work cut out for me, but just putting it out there, in the hope I can garner some support and understanding for this idea/approach and maybe someone wants to also help out with this who understands API design and OIDC/Oauth2. Maybe we can use some library the is there i.e.: https://requests-oauthlib.readthedocs.io/en/latest/index.html and if want to mint our own JWT tokens for prototyping: https://github.com/Refinitiv/bottle-oauthlib I ll look into that, unless you have a better idea. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/3a8a0f6a-f64e-4941-892b-9adfaac8216a%40googlegroups.com.