On Wed, Apr 16, 2014 at 9:29 PM, Bruno Oliveira <bruno@abstractj.org> wrote:

We can discuss on the next week, but even if you define at the
application level "read only" users. People still can read from the
database.

I'm trying to understand why they need to have the master secret
displayed into the web page. At first glance, it sounds like the same
effect of displaying their passwords at admin.

I compare these secrets with the API keys that Google provides for its services. When you go on their Cloud Console , you can check your API key along with the project number.

For sure, it's for convenience but imagine someone (or a team)) having 100 apps, we delegate to them the managing of these keys. But again let's discuss that next week.

Matthias Wessendorf wrote:
> I think we would need to continue having IDs/secrets visible on the UI
>
> IMO It's very hard to use Push server, w/o that information; again I didnt
> read the entire thread yet
>
> Perhsps, we could hide the key (***************) for read-only users; but I
> think the overall concern is having them in the DB. My guess is that we
> need to have them being stored on the DB

--
abstractj

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev