I want to set up a shared team feed that allows multiple users to post to. An example is using the to field as described in the docs, where some_team is a feed:
'to': ['some_team']
I would like to provide each user with a single Stream generated token that enables them to create their own posts, comment on others' posts, and like others' posts on this feed. I would also like them to be able to view all posts on this feed. This is basically how I'd imagine a shared feed works on facebook, etc...
However, base on the Rest API documentation, this doesn't seem possible with the constructs for generating tokens:
The resource field of the JWT payload allows you to define which API endpoints can be accessed, you can pick *one* of the following [resources]:
For example, I can create a user called username, and provide it read access to all resources (feed, activities, etc...) on some_teamusername, but this would prevent write access to new activities for that user.
token = client.create_user_token("username", **{
"resource": "*", <--- must be one
"action": "read", <--- singular relationship to resource
"feed_id": "some_teamusername"});
There should be a simple way to permit read access of others' posts on a shared feed but allow write access to your own content (posts, comments, likes).
I can make that feed group globally writable if that's what you're trying to do?
Related
I have a web-application secured with Keycloak. To keep the description of the service short, we have Users and Documents as entities in the service. The users may have access to none or more documents and may edit or read the document.
Currently we have roles such as Admin, EndUser, Developer etc. We then keep a database table outside of Keycloak that maps the documents to users and what user has what access level to what document. All our end-users have the EndUser role in Keycloak. Every single time an EndUser tries to read/edit a Document, we have to make a lookup in the database table for authorization.
We would like to migrate that table to Keycloak. As I understand it I basically have two options:
Create a lot of roles, two for each document with names such as doc_read_[DOCUMENT-ID] and doc_edit_[DOCUMENT-ID] and so on. Then assign the correct role to the correct user. The downside here is that the number of roles will grow A LOT. Also, the number of roles attached to a user will be very large.
Create a group for each document, with the name of the document id. Have different sub-groups for read/write and then add the users in the correct groups. The downside is that the number of groups will be very large. Also, I will rely Authorization on group names, so the list of group names has to be mapped to the token.
I do not want to add a user-attribute with the document-ids to each user. With this approach I can not get an overview of a document and see what users have access to a given Document.
What is the best practice here? Are there any other solutions to solve this issue? This must be a very common setup.
This is just my opinion.
From what I understand both solutions are suboptimal, adding a role per document is unnatural and too finer grain. And as you already mention this would lead to too many roles that probably you will have to add them into the token.
I would personally use Keycloak just for the authentication part and do the authorization part in the backend. I would also try to group the documents in a way that reflect which user roles are allowed to manipulate them.
Alternatively you might try to use Keycloak's Authorization features to handle that use-case, however I have never used it, so there is not much that I can say about this option.
In my opinion what you want to achieve is something that is very tied to your business logic, I wouldn't recomend depending on keycloak to do it. Your token would constantly grow and management would be a nightmare really.
I see no problem in having a service with good cache to lookup permissions, the bulk of the data won't change much over time.
I have some doubts regarding the custom connector we are trying to build for docusign : -
Regarding the license plan that need to be bought by the customers who will be granting access for our connector to collect data from their docusign organization account. I am looking at the link https://www.docusign.com/products-and-pricing. API access support is mentioned in only the advanced solution. So I was wondering whether only we need to have "Advanced solutions plan with APIs support" plan or all our customers need to API access support in order to fetch their data.
As per the documentation, to make the REST API calls we need two fields 'base_uri' and 'account_id' (https://developers.docusign.com/esign-rest-api/guides/authentication/user-info-endpoints). Now, the response of userInfo API call gives an array of accounts and its respective fields. My doubt is, if multiple authenticated users (more than one accounts) are returned in this array but all are part of same organization, will they all have different account_ids. Main concern here is, will there be several Base Paths (https://developers.docusign.com/esign-rest-api/guides/authentication/user-info-endpoints#form-your-base-path) to make API calls?
2a. Further question is, what is the significance of 'is_default' field?
Is this related to main account (if is_default is true) using which we will create our Base Path?
Since this is a tech/engineering forum I'm going to answer only question #2 as question #1 is more of a business/sales question.
The reason you may get multiple accounts is that an authenticated user in DocuSign can be a member of multiple accounts. That said, it's the same user. Meaning, say foobar#blah.com has an account 123 with company X and account 456 with his school, then it's possible that when foobar#blah.com authenticates (With the same password!) to DocuSign we have a list of accounts associated with that user. We give you all of them when you make the API call. The default one is the main one that you would see when you log into our web app. You can decide yourself as the user which one is the default. Users who log into our web-app then see an option at the top-right to change accounts.
and yes, every API call is associated with a specific account. So when you construct the urls for your API - you do need to know which account for this user you are making the API call for. Your application can decide how to handle this.
Hope this helps.
I need to specify multiple permission for a single user, for example having full access to a specific feed but also have read access to an other one. but getstream only allows one specific permission per token.
Permissions are not configurable yet via APIs or Dashboard but if you reach out to Stream support email we can set that up for you.
i'm using the javascript getstream integration library: https://github.com/GetStream/stream-js.
I've configured a user feed on my getstream dashboard, suppose i add few users as user:test1 user:test2 user:test3. Is there any way that i can get list of all users that are registered on the user feed group.
Similarly i want this to work for news updates posted by user, where he can see list of users and can follow them.
It is currently not possible to list all the feeds created on a certain feed group via API. You are responsible to store the users of your application within your own backend.
I am working on an iphone app which uses instagram API..and I would like to know the following things..Is it possible to get data from instagram without user logging?If so, what type of data would be retrieved from it?Is it possible to access data of a specified user?Or is it only possible using social networking sites like facebook,tumblr etc?
thanks
Yes, with a valid client id, you can fetch user information for a specific user id. Information available includes name, bio, website, and profile picture. You can also return multiple users' data using the search endpoint.
Take a look at the User Endpoints documented here: http://instagr.am/developer/endpoints/users/
I also suggest reading Do you need to authenticate? section here: http://instagr.am/developer/authentication/
NOTE: by providing a client id instead of a valid user token, you are counting against your own application's 5000 calls per-hour limit. If you plan on having a large user page, you would need to authenticate each user to avoid this limit.