<div dir="ltr">+1!<div><br></div><div>I'd love to move to something other than basic auth but know this may not be possible right now.</div><div><br></div><div>Feels like something like this falls under the realms of tokens as uuids rather than oauth etc - generate a uuid, store than in ari.conf, different permissions on that token, such as number of requests allowed etc etc</div>
<div><br></div><div>But yes, agree with everything that Paul says here, the swagger UI is purely HTML/CSS and JS isn't it? If so, you could just host it on an s3 bucket or something similar, no hosting/webservers required as such. But then you get into cost etc.</div>
<div><br></div><div>Dan</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Oct 17, 2013 at 6:22 AM, Paul Belanger <span dir="ltr"><<a href="mailto:paul.belanger@polybeacon.com" target="_blank">paul.belanger@polybeacon.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Okay, okay, hear me out before you judge, I hope to make a validate argument,<br>
<br>
So, for those at home who already seen my topic on #asterisk-dev[1],<br>
my comments are the same. I believe having api_key is a redundant<br>
method to authenticate with ARI.<br>
<br>
Now, the reason for having it was because this was the default way<br>
swagger passed credentials via HTTP. I'm not sure why they didn't<br>
simply add <a href="http://username:password@example.org" target="_blank">http://username:password@example.org</a> support, but that is a<br>
different issue (in fact I plan to open a bug upstream).<br>
<br>
So, since api_key is basically bypassing the Basic Authorization<br>
header, I think it has to go. Simply because, swagger[2] actually<br>
does support basic auth. Now, here is where my logic takes a turn (for<br>
the good).<br>
<br>
Currently, 99.9998% of all documentation about using ARI and swagger<br>
link to the following site[3], something that we don't have control<br>
over. So, I am proposing 2 things:<br>
<br>
A) remove api_key from asterisk (see above for reason).<br>
B) Create <a href="https://swagger.asterisk.org" target="_blank">https://swagger.asterisk.org</a> with basic-auth header support enabled.<br>
<br>
In fact, I strongly think we should be hosting our own content, simply<br>
because we can control it and it is the friendly thing to do. Pushing<br>
all our users to [3] doesn't appear to be too friendly, plus just<br>
imagine all the asterisk themeing that could be done to it.<br>
<br>
Don't get me wrong, I would be infavor of implementing some sort of<br>
OAuth key over the ARI, but I don' think that is in the cards at this<br>
point in time. And again, I think api_key is just implemented to work<br>
around the fact that [3] does pass basic-auth.<br>
<br>
If work load is an issue for Digium to create <a href="http://swagger.asterisk.org" target="_blank">swagger.asterisk.org</a>, I<br>
am willing to step up and do the work. I don't think it would be too<br>
hard to get rackspace or some other cloud provider to provider a VM<br>
for an open source project. I'll be more then happy to provision,<br>
configure and pass the credentials to somebody else to maintain, and<br>
if not, I'd maintain it too.<br>
<br>
Please consider this, having 2 different way to authenticate because a<br>
client doesn't implement the other is redundant and not cool.<br>
<br>
[1] <a href="http://ibot.rikers.org/%23asterisk-dev/20130812.html.gz" target="_blank">http://ibot.rikers.org/%23asterisk-dev/20130812.html.gz</a><br>
[2] <a href="https://github.com/wordnik/swagger-ui#custom-header-parameters---for-basic-auth-etc" target="_blank">https://github.com/wordnik/swagger-ui#custom-header-parameters---for-basic-auth-etc</a><br>
[3] <a href="http://petstore.swagger.wordnik.com/" target="_blank">http://petstore.swagger.wordnik.com/</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Paul Belanger | PolyBeacon, Inc.<br>
Jabber: <a href="mailto:paul.belanger@polybeacon.com">paul.belanger@polybeacon.com</a> | IRC: pabelanger (Freenode)<br>
Github: <a href="https://github.com/pabelanger" target="_blank">https://github.com/pabelanger</a> | Twitter: <a href="https://twitter.com/pabelanger" target="_blank">https://twitter.com/pabelanger</a><br>
<br>
_______________________________________________<br>
asterisk-app-dev mailing list<br>
<a href="mailto:asterisk-app-dev@lists.digium.com">asterisk-app-dev@lists.digium.com</a><br>
<a href="http://lists.digium.com/cgi-bin/mailman/listinfo/asterisk-app-dev" target="_blank">http://lists.digium.com/cgi-bin/mailman/listinfo/asterisk-app-dev</a><br>
</font></span></blockquote></div><br></div>