I can see that each authorization grant type follows a process, that is, there will be an implementation of OAuth2AccessTokenResponseClient to complete the access token acquisition operation. In fact, the authorization code flow also provides DefaultAuthorizationCodeTokenResponseClient, but why not let users set it in AuthorizationCodeGrantBuilder?
In this way, some logic processing can be added uniformly when defining OAuth2AuthorizedClientManager, instead of being scattered in multiple places.
Now the settings are done here org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer. TokenEndpointConfig#accessTokenResponseClient.
I would like to know, what is the purpose of this? Do you have relevant documents or explanations, please help to provide them, thank you!
Related
In my Zapier CLI app, I need to receive raw data from the previous step. Is there a way to achieve that?
David here, from the Zapier Platform team.
This isn't something that's possible. For security reasons, your app can only access data that a user has explicitly provided (via bundle.inputData). If it's important to the function of your app, you can have a dict type that accepts arbitrary input, but it'll be hard to justify that as a need for your app.
If you'd like to discuss further, I'd reach out to partners#zapier.com and we can talk to you about it!
I want to allow one user on my app to chose who can see his own data, I don't know if I'm really clear so here is an example :
User A creates data on a table and he can only see his own data and/or decide to share it with another user.
User B can only see the data from another user that allowed him to do so.
I was thinking of some random token generated when the user is created and then the user can decide to share this token with someone else and then display the data based on this token?
It really depends on your "business rules" here. For instance, in an application I developed read rights were based on "privacy levels". Privacy level 0 meant that only you can view the data whereas privacy level 1 denoted that anybody could view the data. All of my queries were tailored to that datapoint, and a model relation to the user denoted the "owner."
So in your scheme, you propose a system where each record has it's own permission token, much like the system used in Google docs. This is a totally valid way of sharing records in a system. You could also get much more complex by allowing users to add users to the record, which might be another optimal solution for your use case.
Anyway, those are just a few thoughts on the subject. Let me know if that helps.
I have a dilemma in my current project about my url. I would like opinions about how can I choice my route to access a resource.
For example, if a a USER can follow an other one, should I use /users/{user_1_id}/follow/{user_2_id} or /users/follow/{other_user} or /users/folllow with the id in parameters ?
I personally think that /users/follow/{other_user} think to be the best, but I don't know if it's the good choice.
Can I have your opinions ?
As for REST-Services you may consider having your services "state-less"... Therefore I would suggest to add all parameters needed for the service to process the request.
/users/{user_1_id}/follow/{user_2_id}
It gives you a.) better readability and better understanding of the service based on it's API (the URL) and b.) you will be thankful if you've to replace that service in the future (no headaches about where all the needed information is, no caching involved, less side-effects)... Other team-colleagues don't need to know more details about the service ("is the user cached in the background", "or is there a hidden user-id in the cookie", etc.)
I continue to get a "HTTP/1.1 403 Forbidden" response from a PUT request to /d2l/api/lp/1.2/courses/7917 . This may be a permission problem with the user/role that I'm using, but I can't figure out what specific permissions may be required. Can anyone point me to a list or matrix of valence routes and required permissions? Or, answer for this specific one?
The same appid/userid/username works for the GETs associated with the same path.
confused...
cwt
The permissions associated with API calls should mirror the permissions you'd have to have if you were to perform the relevant function through the Learning Envrionment's web UI. You can think about this problem in two ways:
Frame the question in terms of a user role: identify the class of users you'd reserve this ability for in your existing configuration, and ensure that a user of that role can make the call through the API as you'd expect.
Frame the question in terms of an abstract single user: start with a role that has no privileges and add permissions until you arrive at only the ones required for the API call. This is not a trivial exercise, and the first way is far more useful in the long run.
In this particular case, because the API requires you provide a complete course offering set of properties when you want to update it, you have to have permission to alter all the properties in the set (under the Manage Courses tool). You also need to be able to see the course info in the first place, so you need to have Course Management Console > See Course Info as well.
You're probably safest to look at the permissions array in the Manage Courses and Course Management Console tools for the user roles that would do this thing in the web UI and make sure that the users employing your app also have a similar permissions array specified in those tools.
As a part of the signup process for my online application, I'm thinking of tracking the source and/or search keywords used to get to my site. This would allow me to see what advertising is working and from where with a somewhat finer grain than Google Analytics would.
I assume I could set some kind of cookie with this information when people get to my site, but I'm not sure how I would go about getting it. Is it even possible?
I'm using Rails, but a language-independent solution (or even just pointers to where to find this information) would be appreciated!
Your best bet IMO would be to use javascript to look for a cookie named "origReferrer" or something like that and if that cookie doesn't exist you should create one (with an expiry of ~24hours) and fill it with the current referrer.
That way you'll have preserved the original referrer all the way from your users first visit and when your users have completed whatever steps you want them to have completed (ie, account creation) you can read back that cookie on the server and do whatever parsing/analyzing you want.
Andy Brice explains the technique in his blog post Cookie tracking for profit and pleasure.