[aerogear-dev] Push server...master secrets, secrets and some refactoring proposal
Sebastien Blanc
scm.blanc at gmail.com
Thu Apr 17 02:50:22 EDT 2014
On Wed, Apr 16, 2014 at 9:29 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> We can discuss on the next week, but even if you define at the
> application level "read only" users. People still can read from the
> database.
>
> I'm trying to understand why they need to have the master secret
> displayed into the web page. At first glance, it sounds like the same
> effect of displaying their passwords at admin.
>
I compare these secrets with the API keys that Google provides for its
services. When you go on their Cloud Console , you can check your API key
along with the project number.
For sure, it's for convenience but imagine someone (or a team)) having 100
apps, we delegate to them the managing of these keys. But again let's
discuss that next week.
> Matthias Wessendorf wrote:
> > I think we would need to continue having IDs/secrets visible on the UI
> >
> > IMO It's very hard to use Push server, w/o that information; again I
> didnt
> > read the entire thread yet
> >
> > Perhsps, we could hide the key (***************) for read-only users;
> but I
> > think the overall concern is having them in the DB. My guess is that we
> > need to have them being stored on the DB
>
> --
> abstractj
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140417/39a93380/attachment-0001.html
More information about the aerogear-dev
mailing list