Authentication problem
-
Discussion
-
Dear all,
In the API, we have read and write calls to the same endpoint. For example:
/collections/{id}/members/
When sending a GET request, it means “Get the members in that
collection”. If sending a POST, it means “Add a new member to this
collection”.
When having only one endpoint for both kind of operations, any
differentiation between read/write calls has to be done *on the
application level*. In other words, it has to be *implemented* in the
instance of the collection API. It is no longer possible to just put
write functionality behind Shibboleth, OpenID or whatever and leave the
read functionality without such an authorization.
And as far as I know, it is not possible to make already on the level of
an AAI solution a differentiation between GET on the one and POST, PUT,
DELETE calls on the other hand …. ?
Best,
Tom
Log in to reply.