However you like, REST doesn’t dictate anything there. Just be consistent and use hypermedia.

JSON APIs almost never follow REST because they almost never use JSON as hypertext. Worse, no complete stable hypertext JSON standard exists. There’s JSON-HAL, but it lacks a way to represent resource templates (think HTML’s <form>).

Therefore, with JSON APIs ignoring one of the most basic idea behind REST, why would anyone expect them to follow another idea of REST - consistency?

REST is a deceptively simple concept. Any time you build an HTML website a human can navigate without consulting documentation, you’re doing it better than vast majority of swagger documented corporate APIs.

JSON API almost always means “not REST”. In other words, it works as intended.

I can’t muster any sarcasm out of sheer disappointment. You win this time…

I’d probably add that for something like nextcloud granted scopes can be an „orthogonal”–for the lack of a better word–subset of requested scopes.

The set of requestable scopes has to be defined by the system itself, not its specific configuration. E.g. „files:manage”, „talk:manage”, „mail:read” are all general capabilities the system offers.

However, as a user I can have a local configuration that adds granularity to the grants I issue. E.g.: „files:manage in specific folders” or „mail:read for specific domains or groups only” are user trust statements that fit into the capability matrix but add an additional and preferably invisible layer of access control.

It’s a fairly rare feature in the wild and is a potential UX pitfall, but it can be useful as an advanced option on the grant page, or as a separate access control for issued grants.

https://oauth.net/articles/authentication/

That aside, why is nextcloud asking for scopes from remote API in the diagram? What is drawn on the diagram has little to do with OAuth scopes, but rather looks like an attempt to wrap ACL repository access into a new vocabulary.

Scopes issued by the OAuth authorization server can be hidden entirely. The issuer doesn’t hold any obligation to share them with authorized party since they are dedicated for internal use and can be propagated via invisible or opaque means.

I really can’t figure out what’s going on with that diagram.

As a Ruby fan having a blast with Elixir, where the hell is anything BEAM related?

The compass is truly political.

You pronounce it yiff, obviously.

Some of the best advice on cryptography comes from a site full of furry illustrations. A good chunk of infosec community intersects with a furry community.

But hey, you do you.

Probably tongue.

My viewing history can legally drink in US in a year. What do you mean „guess”?

It’s all the other men. Always.

https://arxiv.org/html/2410.12835v1

Live action at that

And then there’s hyperemparhy. Alice tells about getting a paper cut a year ago, and for a few seconds Bob feels like his guts are being pulled out.

Actually Genuine Ignorance

Why did you mention git twice?

If the average user

Proceeds to describe a task average users never perform.

And no, you having been a smart child doesn’t excuse you being an obtuse adult.

It’s all about being comfortable with not knowing when you need to act. Believing that you can learn everything upfront is pure hubris, and once you hurt yourself enough times, you just drop the pretense.

In other words, life is Bayesian, not frequentist.

It’s not about business optimization, it’s about not having to defer to someone’s knowledge from the position of power.

AI bubble makes so much sense when you start looking at it this way.

Good point.