Gavri'el
|
Posted - 2011.01.30 15:55:00 -
[1]
Originally by: Cryten Jones How about making the system work the other way around?
You give out the access key for your character, Corp or account. The application requests access via the api. The request to the api includes the application name and a one time key the api registers the new request and creates an entry in your api management page. You receive an eve-mail saying you have waiting api requests. You login to review the request. If you are happy you choose the access options and time length and approve the access.
Nice challenge-response style access.
-CJ
My thoughts exactly. I would actually work in another option, which would be to "tweak" the actual API access response. What I mean is this. Suppose:
- a corp is requesting your API's access to verify your application to that corp. You want to give access only for THAT character, and as well you don't wanna give access to your wallet size or transactions, but you do want to show BPO ownership, as well as employement history and char ownership history;
- you want to see all your API's content for an account in a mobile phone app;
- you want to give API access to a specific app, but want to minimize overhead.
What could be done is install a set of (let's say) checkboxes, from the API management screen inside the Eve Gate, which gives a particular key a particular validity, in the same sense as what has already been done - Corp key, Char Key, etc., but with more control. This gives the player much more control AND a better understanding of the info given out thru his API key.
Also of great importance would be to integrate to the gate an API validator tool, with which to test what is given out to each key holder.
So here's a run-thru of what it would be like to access the API.
- You want to apply to a corp. Corp requires API access to BPO ownership and some generic info. You go to the EveGate and access the API management page; there you create a new API Key, name it, and check "BPO Ownership" and "Generic Info", and "Allow access to director role only" (for example). The rest remains unchecked.
- You send the API key to the corp.
- Corp wants to review your info, the director requests access through (for example) EveMon.
- The request is passed from EveMon to the API, you receive an EveMail saying you have an API access request pending.
- Go to the management page, and review WHO is asking for access. If verification is passed, click "Activate access".
- The requester of the access receives an EveMail saying access is granted. The director can then access the API from EveMon.
- If the director passes on the API key to anyone, authentication is required again, ensuring the safety of the info.
You can also validate "Oh yeah, this key also gives access to this and this" by going thru a drop-down menu, each pulling a request for each particular item or family of items and visually reporting it (this can easily be done thru a https form).
Much more granular control, challenge-response access, required verification for the user (which means more involved participation). You can even open a notification system to the OUTSIDE of Eve, kind of like on iPhone-style apps. -- Gavri'el |