QueryParameter Auth design for URIs not require Auth

Caffrey
Minnow

Posts: 39

QueryParameter Auth design for URIs not require Auth Jul 26, 2023 1:20:27 GMT

Quote

Post by Caffrey on Jul 26, 2023 1:20:27 GMT

Hi,

I have a question about QueryParameter Authentication. Assume service supports QueryParameter in URI doesn't require auth like ServiceRoot. For different operations, shall we define different auth requirement to prevent security problem.

For example, if ServiceRoot supports "expand" and "select". When user do "expand", auth shall be required but not when user do "select".

Please help to confirm, thanks.

BR,
Caffrey

mraineri
Administrator

Posts: 1,134

QueryParameter Auth design for URIs not require Auth Jul 26, 2023 15:20:55 GMT

Quote

Post by mraineri on Jul 26, 2023 15:20:55 GMT

I agree $select is acceptable to allow without authentication.

For $expand, I can also see simply ignoring the $expand as valid (based on the language today), but we'll need to discuss this further. I think rejecting might be a good approach since it gives the client a clear indicator that the request can't be fulfilled.

Last Edit: Jul 26, 2023 15:22:19 GMT by mraineri

Caffrey Minnow Posts: 39	QueryParameter Auth design for URIs not require Auth Jul 27, 2023 0:33:51 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by Caffrey on Jul 27, 2023 0:33:51 GMT Got it. Thanks for the suggestion.

QueryParameter Auth design for URIs not require Auth

Post by Caffrey on Jul 26, 2023 1:20:27 GMT

Post by mraineri on Jul 26, 2023 15:20:55 GMT

Post by Caffrey on Jul 27, 2023 0:33:51 GMT